Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

server-policy ztna-rule

Use this command to configure ZTNA rule.

For more information on ZTNA, please refer to "Chapter: Zero Trust Network Access (ZTNA)" in FortiWeb Administration Guide.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy ztna-rule

edit <ztna-rule_name>

set action {pass | alert_deny | deny_no_log}

config ems-tag-condition

edit <ems-tag-condition_index>

set ems-tag <tag_name>

set combine {and | or}

next

end

config source-address-condition

edit <source-address-condition_index>

set source-address <IP_address>

next

end

config geo-condition

edit <geo-condition_index>

set country-list <country>

next

end

next

end

Variable Description Default

"<ztna-rule_name>"

Enter the name of the ZTNA rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {pass | alert_deny | deny_no_log}

Select the specific action to be taken when the request matches the rule.

  • pass—Accept the request.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

pass

<ems-tag-condition_index>

Enter the EMS tag condition index number.

No default.

ems-tag

Enter the EMS tag to match.

The EMS tags are automatically synchronized from FortiClient EMS.

No default.

combine {and | or}

and means the request only matches if it has all tags specified;

or means the request matches if it has any of the tags specified.

and

<source-address-condition_index>

Enter the source IP address condition index number.

No default.

source-address <IP_address>

Enter one of the following values in Source IPv4/IPv6/IP Range:

  • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 192.0.2.109).
  • A range of addresses (e.g., 192.0.2.1-192.0.2.256 or 10:200::10:1-10:200:10:100).

No default.

<geo-condition_index>

Enter the GEO country condition index number.

No default.

set country-list <country>

  • Enter countries to match.
  • No default.

    If multiple conditions are added in one ZTNA rule, the matching logic is:

    • For conditions in different types (Source IP, GEO and ZTNA Tags), their relationship is ALL.

    • For conditions in the same type, their relationship is OR.

    If a request matches with the conditions specified in the rule, FortiWeb will take corresponding actions specified in the rule.

    Related topics

    server-policy ztna-rule

    Use this command to configure ZTNA rule.

    For more information on ZTNA, please refer to "Chapter: Zero Trust Network Access (ZTNA)" in FortiWeb Administration Guide.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

    Syntax

    config server-policy ztna-rule

    edit <ztna-rule_name>

    set action {pass | alert_deny | deny_no_log}

    config ems-tag-condition

    edit <ems-tag-condition_index>

    set ems-tag <tag_name>

    set combine {and | or}

    next

    end

    config source-address-condition

    edit <source-address-condition_index>

    set source-address <IP_address>

    next

    end

    config geo-condition

    edit <geo-condition_index>

    set country-list <country>

    next

    end

    next

    end

    Variable Description Default

    "<ztna-rule_name>"

    Enter the name of the ZTNA rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    No default.

    action {pass | alert_deny | deny_no_log}

    Select the specific action to be taken when the request matches the rule.

    • pass—Accept the request.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    • deny_no_log—Deny a request. Do not generate a log message.

    pass

    <ems-tag-condition_index>

    Enter the EMS tag condition index number.

    No default.

    ems-tag

    Enter the EMS tag to match.

    The EMS tags are automatically synchronized from FortiClient EMS.

    No default.

    combine {and | or}

    and means the request only matches if it has all tags specified;

    or means the request matches if it has any of the tags specified.

    and

    <source-address-condition_index>

    Enter the source IP address condition index number.

    No default.

    source-address <IP_address>

    Enter one of the following values in Source IPv4/IPv6/IP Range:

    • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 192.0.2.109).
    • A range of addresses (e.g., 192.0.2.1-192.0.2.256 or 10:200::10:1-10:200:10:100).

    No default.

    <geo-condition_index>

    Enter the GEO country condition index number.

    No default.

    set country-list <country>

  • Enter countries to match.
  • No default.

    If multiple conditions are added in one ZTNA rule, the matching logic is:

    • For conditions in different types (Source IP, GEO and ZTNA Tags), their relationship is ALL.

    • For conditions in the same type, their relationship is OR.

    If a request matches with the conditions specified in the rule, FortiWeb will take corresponding actions specified in the rule.

    Related topics