New options for certificate validation and FortiClient EMS tag matching
|
This information is also available in the FortiProxy 7.6 Administration Guide: |
FortiProxy now supports client certificate validation and FortiClient EMS tag matching in explicit proxy to improve user experience and security. In addition, the authentication rule can now cache the client certificate as an authentication cookie to eliminate the need for repeated authentication.
New options are available under config web-proxy explicit to instruct the client to provide the certificate to explicit web-proxy policy:
config firewall access-proxy
edit "httpsviptest"
set client-cert enable
set user-agent-detect enable
set empty-cert-action block
end
|
set client-cert {enable | disable} |
Enable or disable to request client certificate. |
|
set empty-cert-action {accept | block | accept-unmanageable} |
Specify how to handle the SSL handshake when the client presents an empty certificate:
|
|
set user-agent-detect {enable | disable} |
Enable or disable to detect device type by HTTP user agent when no client certificate is provided. |
New options are available under config firewall policy to match FortiClient EMS tags:
config firewall policy
edit <id>
set type access-proxy
set ztna-ems-tag <string>
set ztna-tags-match-logic {or | and}
next
end
|
set ztna-ems-tag <string> |
Specify the names of the FortiClient EMS tags to match. |
|
set ztna-tags-match-logic {or | and} |
Specify the logic to use for matching FortiClient EMS tags:
|
A new option is available under config authentication rule to cache the client certificate as an authentication cookie:
config authentication rule
edit <name>
set ip-based disable
set cert-auth-cookie {enable | disable}
next
end
|
set cert-auth-cookie {enable | disable} |
Enable or disable device certificate as an authentication cookie (default = enable). |
Example 1: client certificates with explicit web proxy policies
In this example, a CA signs a client certificate. The client certificate is installed on an endpoint, and the root CA is imported to FortiProxy. A web proxy policy is configured to require the client certificate.
When the user accesses a web site, the explicit web proxy policy uses the client certificate from the endpoint device to authenticate the user and grant access to the web site.
See Explicit Proxy for more information.
To configure client certificates with explicit proxies:
-
Prepare the certificate:
-
Use a CA to sign the client certificate.
-
Import the root CA certificate that signed the client certificate to FortiProxy. In this scenario, the certificate is Fortinet_SSL.
-
Install the client certificate on an endpoint.
-
-
Configure the explicit web-proxy policy to request the client certificate from the endpoint.
config web-proxy explicit-proxy edit "web-proxy" set status enable set interface "any" set secure-web-proxy enable set http-incoming-port 8080 set secure-web-proxy-cert "Fortinet_SSL" next endconfig firewall access-proxy edit "httpsvip" set vip "httpsvip" set client-cert enable set empty-cert-action block config api-gateway edit 1 config realservers edit 1 set ip 10.100.1.78 next end next end next end -
Configure verification of the client certificate with the Fortinet_SSL CA.
config authentication setting set user-cert-ca "Fortinet_CA_SSL" end
When the user accesses a web site:
-
FortiProxy requests client certificate authentication, and the web browser displays the available certificates. The user selects a client certificate and clicks OK.
-
Once the client certificate is successfully verified against the root CA certificate imported on the FortiProxy, access to the web site is granted.
When the endpoint device fails to present a client certificate, a message is displayed, and access to the web site is blocked.
Example 2: use EMS tags with explicit proxy policies
In this example, FortiClient is installed on the endpoint. When FortiClient registers to FortiClient EMS, it receives the client certificate and zero-trust tagging rules from EMS. On FortiProxy, an explicit proxy policy is configured with the required Zero Trust tags necessary to pass the security posture check.
When the user accesses a web site, the user must pass the client certificate check, and FortiClient must present all the Zero Trust tags required by the explicit proxy policy for the user to pass authentication, pass security posture checks, and access the web site.
To configure EMS tags with explicit proxy policies:
-
Use FortiClient EMS to prepare the client certificate and zero-trust tags.
-
Install FortiClient on all endpoints, and register FortiClient to FortiClient EMS. The client certificate is downloaded to each endpoint.
On the endpoint, zero-trust tags are applied based on the Zero Trust tagging rules. Users can open FortiClient to view all Zero Trust Tags.
-
In FortiProxy, configure the explicit proxy policy to match FortiClient EMS tags.
In this example, several Zero Trust tags are set, and the matching logic requires all tags to be matched to grant the endpoint access.
config firewall policy edit 1 set type access-proxy set ztna-ems-tag "EMS1_ZTNA_ems26-win10" "EMS1_ZTNA_ems26-Malicious-File-Detected" "EMS1_ZTNA_ems26_Anti_Virus" set ztna-tags-match-logic and next end
When the user accesses a web site:
-
FortiClient on the endpoint device presents a client certificate to FortiProxy, and the web browser displays the certificate to the user.
-
The user selects the FortiClient certificate, and clicks OK. When the FortiClient certificate is selected, and all zero-trust tags are present in FortiClient on the endpoint, the user can successfully access the web site.
When FortiClient on the endpoint lacks all zero-trust tags, a message is displayed, and access to the web site is denied.
Example 3: cached client certificates as authentication cookies
In this example, a CA signs a client certificate. The client certificate is installed on two endpoints, and the root CA certificate is imported to FortiProxy.
When a user first accesses a website, the user must select a client certificate for client certificate check. During the authentication process, the client certificate from the endpoint is verified against the CA certificate. Once this verification is successful, the user is prompted to enter login credentials for user authentication. Once authenticated, the client certificate is stored as an authentication cookie so that subsequent access does not require any user authentication as long as the client certificate remains present on the endpoint.
To configure client certificates as authentication cookies:
-
Prepare the certificate:
-
Use a CA to sign the client certificate.
-
Import the root CA certificate that signed the client certificate to FortiProxy.
-
Install the client certificate on all endpoints.
-
-
In FortiProxy, configure an authentication scheme to apply authentication against the local user database.
config authentication scheme edit "test-ztna-basic" set method basic set user-database "local-user-db" next end -
Configure an authentication rule to enable the client certificate to be cached.
config authentication rule edit "test-ztna-rules" set srcaddr "all" set ip-based disable set active-auth-method "test-ztna-basic" set cert-auth-cookie enable next end -
Configure verification of the client certificate with the root CA.
config authentication setting set user-cert-ca "Fortinet_CA_SSL" end
When the user accesses a resource, such as a web site, for the first time:
-
The browser prompts the user for a client certificate. The user selects the certificate and clicks OK. Then the endpoint device presents the client certificate to FortiProxy for verification.
-
Once the certificate verification passes, an authentication dialog box is displayed.
-
The user enters their username and password to authenticate with FortiProxy and successfully access the web site.
FortiProxy also logs the first access in the traffic log:
date=2024-09-24 time=10:51:14 eventtime=1727200273867863612 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.33 srcport=65460 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.1.25 dstport=8443 dstintf="port1" dstintfrole="undefined" sessionid=187004326 service="tcp/8443" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="a98f9846-6f96-51ef-ceb1-1a3cf607c973" policyname="httptest" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.33 duration=0 vip="httpsvip" accessproxy="httpsvip" clientdevicemanageable="unknown" clientcert="yes" wanin=0 rcvdbyte=0 wanout=0 lanin=653 sentbyte=653 lanout=1930 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" unauthuser="usera" unauthusersource="forticlient" srcremote=207.102.138.19 appcat="unscanned"
When the user accesses the resource from the same endpoint device for the second and subsequent times, FortiProxy uses the cached authentication cookie to grant access, as long as the client certificate remains present on the endpoint.
When the user has multiple endpoint devices with the same certificate installed, the certificate will match the cached authentication cookie on the FortiProxy, and the user can access resources without additional authentication.
This log shows a user accessing a website from a different PC (IP address 10.1.100.78) without needing to provide user credentials.
date=2024-09-24 time=10:56:51 eventtime=1727200611445887844 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.35 srcport=49153 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.1.25 dstport=8443 dstintf="port1" dstintfrole="undefined" sessionid=187004406 service="tcp/8443" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="a98f9846-6f96-51ef-ceb1-1a3cf607c973" policyname="httptest" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.35 duration=0 vip="httpsvip" accessproxy="httpsvip clientdevicemanageable="unknown" clientcert="yes" wanin=0 rcvdbyte=0 wanout=0 lanin=653 sentbyte=653 lanout=1930 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" unauthuser="usera" unauthusersource="forticlient" srcremote=207.102.138.19 appcat="unscanned"