ZTNA HTTPS access proxy with basic authentication example

This example expands on the previous example (ZTNA HTTPS access proxy example), adding LDAP authentication to the ZTNA rule. Users are allowed based on passing the client certificate authentication check, user authentication, and security posture check.

Users that are in the AD security group ALLOWED-VPN are allowed access to the access proxy. Users that are not part of this security group are not allowed access.

This example assumes that the FortiProxy EMS fabric connector is already successfully connected.

LDAP/Active Directory Users and Groups:

Domain:qa.domaintest.local
Users (Groups):
- userb (Domain Users, Remote-Allowed)
- userc (Domain Users)

This example uses two Zero Trust tags: one is the built-in Low tag used in ZTNA HTTPS access proxy example and the other is the Malicious-File-Detected tag which you will create below.

To configure the Malicious-File-Detected tag on the FortiClient EMS:

Log in to the FortiClient EMS.
Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add.
In the Name field, enter Malicious-File-Detected.
In the Tag Endpoint As dropdown list, select Malicious-File-Detected.

EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.
Click Add Rule then configure the rule:
1. For OS, select Windows.
2. From the Rule Type dropdown list, select File and click the + button.
3. Enter a file name, such as C:\virus.txt.
4. Click Save.

To configure a secure connection to the LDAP server in the GUI:

Go to User & Authentication > LDAP Servers and click Create New.

Configure the following settings:

Name	LDAP-QA
Server IP/Name	10.120.1.120
Server Port	389
Common Name Identifier	cn
Distinguished Name	dc=qa,dc=domaintest,dc=local
Exchange server	Disabled
Bind Type	Regular Enter the Username and Password for LDAP binding and lookup.
Secure Connection	Disabled

Click Test Connectivity to verify the connection to the server.
Click OK.

To configure a secure connection to the LDAP server in the CLI:

config user ldap
    edit "ldap-qa"
        set server "10.120.1.120"
        set cnid "cn"
        set dn "dc=qa,dc=domaintest,dc=local"
        set type regular
        set username <username>
        set password <password>
    next
end

To configure a remote user group from the LDAP server in the GUI:

Go to User & Authentication > User Groups and click Create New.
Set the name to LDAP-Remote-Allowed-Group.
Set Type to Firewall.
In the Remote Groups table click Add:
1. Set Remote Server to LDAP-QA.
2. Locate the Remote-Allowed group, right-click on it, and click Add Selected.
3. Click OK.
Click OK.

To configure a remote user group from the LDAP server in the CLI:

config user group
    edit "LDAP-Remote-Allowed-Group"
        set member "LDAP-QA"
        config match
            edit 1
                set server-name "LDAP-QA"
                set group-name "CN=usergrp1,CN=Users,DC=qa,DC=domaintest,DC=local"
            next
        end
    next
end

Authentication scheme and rules

After the LDAP server and user group have been configured, an authentication scheme and rule must be configured.

To configure authentication schemes and rules in the GUI, go to System > Feature Visibility and enable Explicit Proxy.

Authentication scheme

The authentication scheme defines the method of authentication that is applied. In this example, basic HTTP authentication is used so that users are prompted for a username and password the first time that they connect to a website through the HTTPS access proxy.

To configure an authentication scheme in the GUI:

Go to Policy & Objects > Authentication Rules and click Create New > Authentication Scheme.
Set the name to ZTNA-Auth-scheme.
Set Method to Basic.
Set User database LDAP-QA as the LDAP server.
Click OK.

To configure an authentication scheme in the CLI:

config authentication scheme
    edit "ZTNA-Auth-scheme"
        set method basic
        set user-database "LDAP-QA"
    next
end

Authentication rule

The authentication rule defines the proxy sources and destination that require authentication, and what authentication scheme is applied. In this example, active authentication through the basic HTTP prompt is used and applied to all sources.

To configure an authentication rule in the GUI:

Go to Policy & Objects > Authentication Rules and click Create New > Authentication Rule.
Set the name to ZTNA-Auth-rule.
Set Source Address to all.
Set Protocol to HTTP.
Enable Authentication Scheme and select ZTNA-Auth-scheme.
Click OK.

To configure an authentication rule in the CLI:

config authentication rule
    edit "ZTNA-Auth-rule"
        set srcaddr "all"
	 set dstaddr "all"
        set active-auth-method "ZTNA-Auth-scheme"
    next
end

Applying the user group to a ZTNA rule

A user or user group must be applied to the ZTNA rule that you need to control user access to. The authenticated user from the authentication scheme and rule must match the user or user group in the ZTNA rule.

In this example, the user group is applied to the two ZTNA rules: one is the ZTNA-Allow-Simple rule configured in ZTNA HTTPS access proxy example and the other is the ZTNA-Deny-malicious rule which you will create below.

To configure ZTNA rules to deny traffic based on user groups in the GUI:

Go to Policy & Objects > ZTNA.
Create the ZTNA-Deny-malicious rule to deny traffic based on user groups:
1. Click Create New.
2. Set Name to ZTNA-Deny-malicious.
3. Set Incoming Interface to port3.
4. Click in the Source field, select the User tab, select the LDAP-Remote-Denied-Group group, then click Close.
5. Add the ZTNA (posture) tag Malicious-File-Detected.
  
  This tag is dynamically retrieved from EMS when you first created the Zero Trust Tagging Rule.
6. Select the ZTNA server ZTNA-webserver.
7. Configure the remaining options as needed.
8. Click OK.
Edit the ZTNA-Allow-Simple rule to allow traffic based on user groups:
1. Edit the ZTNA-Allow-Simple rule.
2. Click in the Source field, select the User tab, select the LDAP-Remote-ALlowed-Group group, then click Close.
3. Click OK.

To apply a user group to the ZTNA rules in the CLI:

config firewall policy
     edit 0
        set type access-proxy
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "httpserver"
        set ztna-ems-tag "Malicious-File-Detected"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction all
        set extended-log enable
        set groups "LDAP-Remote-Denied-Group"
        set ssl-ssh-profile "deep-inspection"

    next
    edit 1
        set type access-proxy
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "httpserver"
        set ztna-ems-tag "EMS1_CLASS_Low"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction all
        set extended-log enable
        set groups "LDAP-Remote-Allowed-Group"
        set ssl-ssh-profile "deep-inspection"
    next
end

For configuration examples of ZTNA rules, see Configure a ZTNA rule .

Testing remote access to the HTTPS access proxy with user authentication

Scenario 1: access allowed - userb

On a remote Windows PC, open the FortiClient app, select the Zero Trust Telemetry tab, and confirm that you are connected to the EMS server.

It is not necessary to configure a ZTNA Destination on the FortiClient for the HTTPS access proxy use case. In fact, configuring a ZTNA Destination rule for the website may interfere with its operation.

In a browser, enter the address of the server and the access port.
When the browser asks for the client certificate to use, select the EMS signed certificate, then click OK.

The client certificate is verified by the FortiProxy to authenticate your identity.
When prompted, enter the username userb and the password, and click Sign in.

As userb is a member of the Remote-Allowed-Group group in Active Directory, it will match the LDAP-Remote-Allowed-Group user group. After the user authentication passes, the FortiProxy performs a posture check on the ZTNA group. When that passes, you are allowed access to the website.

Verifying the results

# diagnose firewall auth list

10.100.1.33, userb@qa.domaintest.local
        type: fw, id: 0, duration: 143, idled: 143
        expire: 457, allow-idle: 600
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 2
        group_name: LDAP-Remote-Allowed-Group

FPXVULTM24000082 # diagnose test app fcnacd 7

ZTNA Cache V2:
Entry #1:

 - UID: 70A5C5FABBE64A9B98B6DDA3FE8AC794
 - EMS Fabric ID: FCTEMS8823005021:00000000000000000000000000000000
 - Domain:
 - User: guodong
 - Owner:
 - Certificate SN: 42A4127A22FDB8D98B33CA1F0239BF50ED783B82
 - online: true
 - Routes (1):
  -- Route #0: IP=10.100.1.33, vfid=0
 - FWAddrNames (10):
  -- Name (#0): EMS1_ZTNA_disk-en
  -- Name (#1): MAC_EMS1_ZTNA_disk-en
  -- Name (#2): EMS1_ZTNA_Malicious-File-Detected
  -- Name (#3): MAC_EMS1_ZTNA_Malicious-File-Detected
  -- Name (#4): EMS1_CLASS_Low
  -- Name (#5): MAC_EMS1_CLASS_Low
  -- Name (#6): EMS1_ZTNA_all_registered_clients

The user_name is the windows log in username learned by FortiClient. It might not match the username used in firewall user authentication.

  -- Name (#7): MAC_EMS1_ZTNA_all_registered_clients
  -- Name (#8): EMS1_ZTNA_anti-virus-ok
  -- Name (#9): MAC_EMS1_ZTNA_anti-virus-ok
lls_idx_mask = 0x00000001,

FPXVULTM24000082 # execute log filter category 0
FPXVULTM24000082 # execute log filter field subtype ztna
FPXVULTM24000082 # execute log display

1: date=2024-08-13 time=11:07:54 eventtime=1723572473800477245 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.100.1.33 srcport=56417 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.120.1.78 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=2061742765 service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="286706fa-55b5-51ef-1b9a-e4ea291bae6a" trandisp="snat" transip=10.120.1.209 transport=26202 clientip=10.100.1.33 duration=176645 user="userb@qa.domaintest.local" group="LDAP-Remote-Allowed-Group" gatewayid=1 vip="httpsvip" accessproxy="httpserver" clientdeviceid="70A5C5FABBE64A9B98B6DDA3FE8AC794" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS1_ZTNA_anti-virus-ok/EMS1_ZTNA_anti-virus-ok/MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients" emsconnection="online" wanin=9606 rcvdbyte=9606 wanout=2176 lanin=3059 sentbyte=3059 lanout=39375 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" appcat="unscanned" utmaction="allow"

Scenario 2: access denied – userc

If scenario 1 has just been tested, log in to the FortiProxy and deauthenticate the user:
1. Go to Dashboard > Users & Devices and click the User Monitor widget to expand it.
2. Select userb and click Deauthenticate.
On a remote Windows PC, open the FortiClient app, select the Zero Trust Telemetry tab, and confirm that you are connected to the EMS server.
In a browser, enter the address webserver.ztnademo.com.
When the browser asks for the client certificate to use, select the EMS signed certificate, then click OK. This option might not appear if you have already selected the certificate when testing scenario 1.

The client certificate is verified by the FortiProxy to authenticate your identity.
When prompted, enter the username userc and the password, and click Sign in.

As userc is not a member of the Remote-Allowed group in Active Directory, it will not match the LDAP-Remote-Allowed-Group user group. Because no other rules are matched, this user is implicitly denied

Verifying the results

Go to Dashboard > Users & Devices, click the User Monitor widget to expand it and confirm that userc is listed but no applicable user group is returned.

# execute log display

1: date=2024-08-13 time=11:12:11 eventtime=1723572731860519937 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.100.1.33 srcport=56425 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.1.14 dstport=9443 dstintf="port1" dstintfrole="undefined" sessionid=2061742766 service="tcp/9443" proxyapptype="http" proto=6 action="deny" policyid=0 policytype="proxy-policy" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.100.1.33 duration=6269 user="userc@qa.domaintest.local" vip="httpsvip" accessproxy="httpserver" clientdeviceid="70A5C5FABBE64A9B98B6DDA3FE8AC794" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS1_ZTNA_anti-virus-ok/EMS1_ZTNA_anti-virus-ok/MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients" emsconnection="online" msg="Traffic denied because of failed to match a proxy-policy" wanin=0 rcvdbyte=0 wanout=0 lanin=2805 sentbyte=2805 lanout=61620 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" appcat="unscanned" crscore=30 craction=131072 crlevel="high"

ZTNA HTTPS access proxy with basic authentication example

Users that are in the AD security group ALLOWED-VPN are allowed access to the access proxy. Users that are not part of this security group are not allowed access.

This example assumes that the FortiProxy EMS fabric connector is already successfully connected.

LDAP/Active Directory Users and Groups:

Domain:qa.domaintest.local
Users (Groups):
- userb (Domain Users, Remote-Allowed)
- userc (Domain Users)

This example uses two Zero Trust tags: one is the built-in Low tag used in ZTNA HTTPS access proxy example and the other is the Malicious-File-Detected tag which you will create below.

To configure the Malicious-File-Detected tag on the FortiClient EMS:

Log in to the FortiClient EMS.
Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add.
In the Name field, enter Malicious-File-Detected.
In the Tag Endpoint As dropdown list, select Malicious-File-Detected.

EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.
Click Add Rule then configure the rule:
1. For OS, select Windows.
2. From the Rule Type dropdown list, select File and click the + button.
3. Enter a file name, such as C:\virus.txt.
4. Click Save.

To configure a secure connection to the LDAP server in the GUI:

Go to User & Authentication > LDAP Servers and click Create New.

Configure the following settings:

Name	LDAP-QA
Server IP/Name	10.120.1.120
Server Port	389
Common Name Identifier	cn
Distinguished Name	dc=qa,dc=domaintest,dc=local
Exchange server	Disabled
Bind Type	Regular Enter the Username and Password for LDAP binding and lookup.
Secure Connection	Disabled

Click Test Connectivity to verify the connection to the server.
Click OK.

To configure a secure connection to the LDAP server in the CLI:

config user ldap
    edit "ldap-qa"
        set server "10.120.1.120"
        set cnid "cn"
        set dn "dc=qa,dc=domaintest,dc=local"
        set type regular
        set username <username>
        set password <password>
    next
end

To configure a remote user group from the LDAP server in the GUI:

Go to User & Authentication > User Groups and click Create New.
Set the name to LDAP-Remote-Allowed-Group.
Set Type to Firewall.
In the Remote Groups table click Add:
1. Set Remote Server to LDAP-QA.
2. Locate the Remote-Allowed group, right-click on it, and click Add Selected.
3. Click OK.
Click OK.

To configure a remote user group from the LDAP server in the CLI:

config user group
    edit "LDAP-Remote-Allowed-Group"
        set member "LDAP-QA"
        config match
            edit 1
                set server-name "LDAP-QA"
                set group-name "CN=usergrp1,CN=Users,DC=qa,DC=domaintest,DC=local"
            next
        end
    next
end

Authentication scheme and rules

After the LDAP server and user group have been configured, an authentication scheme and rule must be configured.

To configure authentication schemes and rules in the GUI, go to System > Feature Visibility and enable Explicit Proxy.

Authentication scheme

To configure an authentication scheme in the GUI:

Go to Policy & Objects > Authentication Rules and click Create New > Authentication Scheme.
Set the name to ZTNA-Auth-scheme.
Set Method to Basic.
Set User database LDAP-QA as the LDAP server.
Click OK.

To configure an authentication scheme in the CLI:

config authentication scheme
    edit "ZTNA-Auth-scheme"
        set method basic
        set user-database "LDAP-QA"
    next
end

Authentication rule

To configure an authentication rule in the GUI:

Go to Policy & Objects > Authentication Rules and click Create New > Authentication Rule.
Set the name to ZTNA-Auth-rule.
Set Source Address to all.
Set Protocol to HTTP.
Enable Authentication Scheme and select ZTNA-Auth-scheme.
Click OK.

To configure an authentication rule in the CLI:

config authentication rule
    edit "ZTNA-Auth-rule"
        set srcaddr "all"
	 set dstaddr "all"
        set active-auth-method "ZTNA-Auth-scheme"
    next
end

Applying the user group to a ZTNA rule

To configure ZTNA rules to deny traffic based on user groups in the GUI:

Go to Policy & Objects > ZTNA.
Create the ZTNA-Deny-malicious rule to deny traffic based on user groups:
1. Click Create New.
2. Set Name to ZTNA-Deny-malicious.
3. Set Incoming Interface to port3.
4. Click in the Source field, select the User tab, select the LDAP-Remote-Denied-Group group, then click Close.
5. Add the ZTNA (posture) tag Malicious-File-Detected.
  
  This tag is dynamically retrieved from EMS when you first created the Zero Trust Tagging Rule.
6. Select the ZTNA server ZTNA-webserver.
7. Configure the remaining options as needed.
8. Click OK.
Edit the ZTNA-Allow-Simple rule to allow traffic based on user groups:
1. Edit the ZTNA-Allow-Simple rule.
2. Click in the Source field, select the User tab, select the LDAP-Remote-ALlowed-Group group, then click Close.
3. Click OK.

To apply a user group to the ZTNA rules in the CLI:

config firewall policy
     edit 0
        set type access-proxy
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "httpserver"
        set ztna-ems-tag "Malicious-File-Detected"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction all
        set extended-log enable
        set groups "LDAP-Remote-Denied-Group"
        set ssl-ssh-profile "deep-inspection"

    next
    edit 1
        set type access-proxy
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "httpserver"
        set ztna-ems-tag "EMS1_CLASS_Low"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction all
        set extended-log enable
        set groups "LDAP-Remote-Allowed-Group"
        set ssl-ssh-profile "deep-inspection"
    next
end

For configuration examples of ZTNA rules, see Configure a ZTNA rule .

Testing remote access to the HTTPS access proxy with user authentication

Scenario 1: access allowed - userb

On a remote Windows PC, open the FortiClient app, select the Zero Trust Telemetry tab, and confirm that you are connected to the EMS server.

In a browser, enter the address of the server and the access port.
When the browser asks for the client certificate to use, select the EMS signed certificate, then click OK.

The client certificate is verified by the FortiProxy to authenticate your identity.
When prompted, enter the username userb and the password, and click Sign in.

As userb is a member of the Remote-Allowed-Group group in Active Directory, it will match the LDAP-Remote-Allowed-Group user group. After the user authentication passes, the FortiProxy performs a posture check on the ZTNA group. When that passes, you are allowed access to the website.

Verifying the results

# diagnose firewall auth list

10.100.1.33, userb@qa.domaintest.local
        type: fw, id: 0, duration: 143, idled: 143
        expire: 457, allow-idle: 600
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 2
        group_name: LDAP-Remote-Allowed-Group

FPXVULTM24000082 # diagnose test app fcnacd 7

ZTNA Cache V2:
Entry #1:

 - UID: 70A5C5FABBE64A9B98B6DDA3FE8AC794
 - EMS Fabric ID: FCTEMS8823005021:00000000000000000000000000000000
 - Domain:
 - User: guodong
 - Owner:
 - Certificate SN: 42A4127A22FDB8D98B33CA1F0239BF50ED783B82
 - online: true
 - Routes (1):
  -- Route #0: IP=10.100.1.33, vfid=0
 - FWAddrNames (10):
  -- Name (#0): EMS1_ZTNA_disk-en
  -- Name (#1): MAC_EMS1_ZTNA_disk-en
  -- Name (#2): EMS1_ZTNA_Malicious-File-Detected
  -- Name (#3): MAC_EMS1_ZTNA_Malicious-File-Detected
  -- Name (#4): EMS1_CLASS_Low
  -- Name (#5): MAC_EMS1_CLASS_Low
  -- Name (#6): EMS1_ZTNA_all_registered_clients

The user_name is the windows log in username learned by FortiClient. It might not match the username used in firewall user authentication.

  -- Name (#7): MAC_EMS1_ZTNA_all_registered_clients
  -- Name (#8): EMS1_ZTNA_anti-virus-ok
  -- Name (#9): MAC_EMS1_ZTNA_anti-virus-ok
lls_idx_mask = 0x00000001,

FPXVULTM24000082 # execute log filter category 0
FPXVULTM24000082 # execute log filter field subtype ztna
FPXVULTM24000082 # execute log display

1: date=2024-08-13 time=11:07:54 eventtime=1723572473800477245 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.100.1.33 srcport=56417 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.120.1.78 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=2061742765 service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="286706fa-55b5-51ef-1b9a-e4ea291bae6a" trandisp="snat" transip=10.120.1.209 transport=26202 clientip=10.100.1.33 duration=176645 user="userb@qa.domaintest.local" group="LDAP-Remote-Allowed-Group" gatewayid=1 vip="httpsvip" accessproxy="httpserver" clientdeviceid="70A5C5FABBE64A9B98B6DDA3FE8AC794" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS1_ZTNA_anti-virus-ok/EMS1_ZTNA_anti-virus-ok/MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients" emsconnection="online" wanin=9606 rcvdbyte=9606 wanout=2176 lanin=3059 sentbyte=3059 lanout=39375 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" appcat="unscanned" utmaction="allow"

Scenario 2: access denied – userc

If scenario 1 has just been tested, log in to the FortiProxy and deauthenticate the user:
1. Go to Dashboard > Users & Devices and click the User Monitor widget to expand it.
2. Select userb and click Deauthenticate.
On a remote Windows PC, open the FortiClient app, select the Zero Trust Telemetry tab, and confirm that you are connected to the EMS server.
In a browser, enter the address webserver.ztnademo.com.
When the browser asks for the client certificate to use, select the EMS signed certificate, then click OK. This option might not appear if you have already selected the certificate when testing scenario 1.

The client certificate is verified by the FortiProxy to authenticate your identity.
When prompted, enter the username userc and the password, and click Sign in.

As userc is not a member of the Remote-Allowed group in Active Directory, it will not match the LDAP-Remote-Allowed-Group user group. Because no other rules are matched, this user is implicitly denied

Verifying the results

Go to Dashboard > Users & Devices, click the User Monitor widget to expand it and confirm that userc is listed but no applicable user group is returned.

# execute log display

1: date=2024-08-13 time=11:12:11 eventtime=1723572731860519937 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.100.1.33 srcport=56425 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.1.14 dstport=9443 dstintf="port1" dstintfrole="undefined" sessionid=2061742766 service="tcp/9443" proxyapptype="http" proto=6 action="deny" policyid=0 policytype="proxy-policy" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.100.1.33 duration=6269 user="userc@qa.domaintest.local" vip="httpsvip" accessproxy="httpserver" clientdeviceid="70A5C5FABBE64A9B98B6DDA3FE8AC794" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS1_ZTNA_anti-virus-ok/EMS1_ZTNA_anti-virus-ok/MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients" emsconnection="online" msg="Traffic denied because of failed to match a proxy-policy" wanin=0 rcvdbyte=0 wanout=0 lanin=2805 sentbyte=2805 lanout=61620 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" appcat="unscanned" crscore=30 craction=131072 crlevel="high"

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

ZTNA HTTPS access proxy with basic authentication example

ZTNA HTTPS access proxy with basic authentication example

To configure the Malicious-File-Detected tag on the FortiClient EMS:

To configure a secure connection to the LDAP server in the GUI:

To configure a secure connection to the LDAP server in the CLI:

To configure a remote user group from the LDAP server in the GUI:

To configure a remote user group from the LDAP server in the CLI:

Authentication scheme and rules

Authentication scheme

To configure an authentication scheme in the GUI:

To configure an authentication scheme in the CLI:

Authentication rule

To configure an authentication rule in the GUI: