Fortinet black logo

FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Configuring dynamic private access policies using ZTNA tags

Copy Link
Copy Doc ID b10d503a-c519-11ee-8c42-fa163e15d75b:825799
Download PDF

Configuring dynamic private access policies using ZTNA tags

This example demonstrates how to configure dynamic private access policies using the zero trust network access tags that you created in Configuring ZTNA rule sets to dynamically tag agent-based remote users to allow endpoints tagged as SASE-Compliant with access to selected private resources and to deny access to selected private resources for endpoints tagged as SASE-Non-Compliant.

To configure a dynamic private access policy for compliant endpoints:
  1. Go to Configuration > Policies.
  2. Select Private Access to display the list of private access policies
  3. Click Create.
  4. Configure the policy:
    1. For Name, enter Allow-SASE-Compliant.
    2. For Source Scope, select VPN Users.
    3. In the Source field, select Specify and click +. From the Select Entries panel, under ZTNA Tag > Private Access, select the SASE-Compliant tag.
    4. For Destination, select Specify, click +, and in the Select Entries panel click +Create and click IPv4 Host to a create a new host for the specific server as follows:
      1. For Location, select Private Access Hub.
      2. For Category, IPv4 Host is selected.
      3. In the Name field, enter the desired name. In this example, the name is PrivateServer.
      4. From the Type dropdown list, select Subnet.
      5. In the IP/Netmask field, enter 10.100.99.101/32.
      6. Click OK.

        Select the newly created host to set it as the Destination.

    5. For Service, click + and from the Select Entries panel select ALL.
    6. For Action, select Accept.
    7. For Status, select Enable.
  5. Click OK.

  6. In Configuration > Policies with Private Access selected, ensure that you order the policies so that the Allow-SASE-Compliant policy is before the Allow-All Private Traffic policy. With this ordering of policies, FortiSASE allows endpoints that match the dynamic policy access to the specific private server.
To configure a dynamic private access policy for non-compliant endpoints:
  1. Go to Configuration > Policies.
  2. Select Private Access to display the list of private access policies
  3. Click Create.
  4. Configure the policy:
    1. For Name, enter Deny-SASE-Non-Compliant.
    2. For Source Scope, select VPN Users.
    3. In the Source field, select Specify and click +. From the Select Entries panel, under ZTNA Tag > Private Access, select the SASE-Non-Compliant tag.
    4. For Destination, select Private Access Traffic.
    5. For Service, click + and from the Select Entries panel select ALL.
    6. For Action, select Deny.
    7. For Status, select Enable.
  5. Click OK.
  6. In Configuration > Policies with Private Access selected, ensure that you order the policies so that the Deny-SASE-Non-Compliant policy is before the Allow-SASE-Compliant policy. With this ordering of policies, FortiSASE denies endpoints that match the dynamic policy from accessing the specific private server.

Configuring dynamic private access policies using ZTNA tags

This example demonstrates how to configure dynamic private access policies using the zero trust network access tags that you created in Configuring ZTNA rule sets to dynamically tag agent-based remote users to allow endpoints tagged as SASE-Compliant with access to selected private resources and to deny access to selected private resources for endpoints tagged as SASE-Non-Compliant.

To configure a dynamic private access policy for compliant endpoints:
  1. Go to Configuration > Policies.
  2. Select Private Access to display the list of private access policies
  3. Click Create.
  4. Configure the policy:
    1. For Name, enter Allow-SASE-Compliant.
    2. For Source Scope, select VPN Users.
    3. In the Source field, select Specify and click +. From the Select Entries panel, under ZTNA Tag > Private Access, select the SASE-Compliant tag.
    4. For Destination, select Specify, click +, and in the Select Entries panel click +Create and click IPv4 Host to a create a new host for the specific server as follows:
      1. For Location, select Private Access Hub.
      2. For Category, IPv4 Host is selected.
      3. In the Name field, enter the desired name. In this example, the name is PrivateServer.
      4. From the Type dropdown list, select Subnet.
      5. In the IP/Netmask field, enter 10.100.99.101/32.
      6. Click OK.

        Select the newly created host to set it as the Destination.

    5. For Service, click + and from the Select Entries panel select ALL.
    6. For Action, select Accept.
    7. For Status, select Enable.
  5. Click OK.

  6. In Configuration > Policies with Private Access selected, ensure that you order the policies so that the Allow-SASE-Compliant policy is before the Allow-All Private Traffic policy. With this ordering of policies, FortiSASE allows endpoints that match the dynamic policy access to the specific private server.
To configure a dynamic private access policy for non-compliant endpoints:
  1. Go to Configuration > Policies.
  2. Select Private Access to display the list of private access policies
  3. Click Create.
  4. Configure the policy:
    1. For Name, enter Deny-SASE-Non-Compliant.
    2. For Source Scope, select VPN Users.
    3. In the Source field, select Specify and click +. From the Select Entries panel, under ZTNA Tag > Private Access, select the SASE-Non-Compliant tag.
    4. For Destination, select Private Access Traffic.
    5. For Service, click + and from the Select Entries panel select ALL.
    6. For Action, select Deny.
    7. For Status, select Enable.
  5. Click OK.
  6. In Configuration > Policies with Private Access selected, ensure that you order the policies so that the Deny-SASE-Non-Compliant policy is before the Allow-SASE-Compliant policy. With this ordering of policies, FortiSASE denies endpoints that match the dynamic policy from accessing the specific private server.