Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Create a new Zero Trust Network Access (ZTNA) rule

A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero trust role-based access. Security profiles can be configured to protect this traffic.

Note

Before you can create ZTNA rules, ZTNA Rules must be enabled in the Display Options.

To configure a ZTNA rule:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select ZTNA Rules.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Source

    Select source addresses, address groups, virtual IPs, virtual IP groups, users, and user groups.

    ZTNA Tag

    Select the ZTNA tags and tag groups that are allowed access. See Zero Trust Network Access (ZTNA) objects.

    Match ZTNA Tags

    Select Any to match one or more tags or All to match all tags.

    ZTNA Server

    Select a ZTNA server. See Configuring a ZTNA server.

    Destination

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Schedule

    Select a one-time schedule, recurring schedule, or schedule group.

    Action

    Select an action for the policy to take: DENY or ACCEPT.

    Log Violation Traffic

    Turn violation logging on or off.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced options, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.
  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

block-notification

Enable or disable block notification.

disable

decrypted-traffic-mirror

Select a decrypted traffic mirror.

none

device-ownership

Enable or disable ownership enforcement at the policy level.

disable

disclaimer

Disable or select where to display the web proxy disclaimer.

disable

dlp-profile

Select an existing data leak prevention (DLP) profile.

none

dstaddr-negate

Enable to negate the destination IP address.

disable

dstintf

Select destination interfaces.

none

global-label

Enter a global label for this policy for use in the GUI.

none

internet-service

Enable or disable the use of internet services for this policy. If enabled, the destination address and service set in the policy are not used.

disable

internet-service-custom

Select a custom internet service.

none

internet-service-custom-group

Select a custom internet service group.

none

internet-service-group

Select an internet service group.

none

internet-service-name

Select an internet service.

none

internet-service-negate

Enable to negate the internet service set in the policy.

disable

label

Enter a VDOM-specific label for this policy for use in the GUI.

none

logtraffic-start

Enable or disable policy log traffic start.

disable

poolname

Select the IP pool object.

none

redirect-url

Set the URL to which users are redirected after seeing and accepting the disclaimer or authenticating.

none

replacemsg-override-group

Select the authentication message override group.

none

sctp-filter-profile

Select an existing SCTP filter profile.

none

service

Select services.

none

service-negate

Enable or disable negation of the service set in the policy.

disable

session-ttl

Enter a value for the session time-to-live (TTL), in seconds, from 300 to 604800, or type 0 for no limitation.

0

srcaddr-negate

Enable or disable negation of the source address.

disable

ssh-filter-profile

Select an SSH filter profile from the drop-down list.

None

ssh-policy-redirect

Enable or disable SSH policy redirect.

disable

transparent

Enable or disable connection using the client IP address.

disable

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000

webcache

Enable or disable web cache (IPv4 only).

disable

webcache-https

Enable or disable the web cache for HTTPS (IPv4 only).

none

webproxy-forward-server

Select the webproxy forward server (IPv4 only).

none

webproxy-profile

Select the webproxy profile (IPv4 only).

none

Create a new Zero Trust Network Access (ZTNA) rule

A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero trust role-based access. Security profiles can be configured to protect this traffic.

Note

Before you can create ZTNA rules, ZTNA Rules must be enabled in the Display Options.

To configure a ZTNA rule:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select ZTNA Rules.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Source

    Select source addresses, address groups, virtual IPs, virtual IP groups, users, and user groups.

    ZTNA Tag

    Select the ZTNA tags and tag groups that are allowed access. See Zero Trust Network Access (ZTNA) objects.

    Match ZTNA Tags

    Select Any to match one or more tags or All to match all tags.

    ZTNA Server

    Select a ZTNA server. See Configuring a ZTNA server.

    Destination

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Schedule

    Select a one-time schedule, recurring schedule, or schedule group.

    Action

    Select an action for the policy to take: DENY or ACCEPT.

    Log Violation Traffic

    Turn violation logging on or off.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced options, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.
  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

block-notification

Enable or disable block notification.

disable

decrypted-traffic-mirror

Select a decrypted traffic mirror.

none

device-ownership

Enable or disable ownership enforcement at the policy level.

disable

disclaimer

Disable or select where to display the web proxy disclaimer.

disable

dlp-profile

Select an existing data leak prevention (DLP) profile.

none

dstaddr-negate

Enable to negate the destination IP address.

disable

dstintf

Select destination interfaces.

none

global-label

Enter a global label for this policy for use in the GUI.

none

internet-service

Enable or disable the use of internet services for this policy. If enabled, the destination address and service set in the policy are not used.

disable

internet-service-custom

Select a custom internet service.

none

internet-service-custom-group

Select a custom internet service group.

none

internet-service-group

Select an internet service group.

none

internet-service-name

Select an internet service.

none

internet-service-negate

Enable to negate the internet service set in the policy.

disable

label

Enter a VDOM-specific label for this policy for use in the GUI.

none

logtraffic-start

Enable or disable policy log traffic start.

disable

poolname

Select the IP pool object.

none

redirect-url

Set the URL to which users are redirected after seeing and accepting the disclaimer or authenticating.

none

replacemsg-override-group

Select the authentication message override group.

none

sctp-filter-profile

Select an existing SCTP filter profile.

none

service

Select services.

none

service-negate

Enable or disable negation of the service set in the policy.

disable

session-ttl

Enter a value for the session time-to-live (TTL), in seconds, from 300 to 604800, or type 0 for no limitation.

0

srcaddr-negate

Enable or disable negation of the source address.

disable

ssh-filter-profile

Select an SSH filter profile from the drop-down list.

None

ssh-policy-redirect

Enable or disable SSH policy redirect.

disable

transparent

Enable or disable connection using the client IP address.

disable

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000

webcache

Enable or disable web cache (IPv4 only).

disable

webcache-https

Enable or disable the web cache for HTTPS (IPv4 only).

none

webproxy-forward-server

Select the webproxy forward server (IPv4 only).

none

webproxy-profile

Select the webproxy profile (IPv4 only).

none