Using the IP pool or client IP address in a ZTNA connection to backend servers
By default, the connection from the ZTNA access proxy to the backend servers uses the IP address of the outgoing interface as the source. This enhancement enables customers to use an IP pool as the source IP address, or use the client's original IP address as the source IP address. This allows ZTNA to support more sessions without source port conflicts.
These example show the basic configurations for using an IP pool or transparent mode in a ZTNA proxy policy.
This topology uses a HTTP access proxy to forward traffic to the web server at 172.18.62.27. The IP pool range is 172.16.200.100-105, so this effectively allows for six times more connections using the six source addresses in the pool. If transparent mode is used, the FortiGate uses the client's address (10.1.100.118) as the source IP when connecting to the servers.
Basic ZTNA configuration
To configure the FortiGate:
- Configure the access proxy VIP:
config firewall vip edit "ZTNA_S1" set type access-proxy set extip 172.18.62.16 set extintf "any" set server-type https set extport 443 set ssl-certificate "Fortinet_SSL" next end
- Configure the virtual host:
config firewall access-proxy-virtual-host edit "auto-ZTNA_S1-0" set ssl-certificate "Fortinet_SSL" set host "v1.qa.fortinet.com" next end
- Configure the server and path mapping:
config firewall access-proxy edit "ZTNA_S1" set vip "ZTNA_S1" set client-cert enable set auth-portal enable set log-blocked-traffic enable config api-gateway edit 1 set virtual-host "auto-ZTNA_S1-0" config realservers edit 1 set ip 172.18.62.27 next end next end next end
Example 1: IP pool
To configure the FortiGate:
- Configure the IP pool:
config firewall ippool edit "ztna_pool1" set startip 172.16.200.100 set endip 172.16.200.105 next end
- Configure the proxy policy:
config firewall proxy-policy edit 1 set name "ZTNA_R1" set proxy access-proxy set access-proxy "ZTNA_S1" set srcintf "port14" set srcaddr "all" set dstaddr "all" set ztna-ems-tag "FCTEMS8821000000_ems140_av_tag" set action accept set schedule "always" set logtraffic all set poolname "ztna_pool1" set utm-status enable set ssl-ssh-profile "custom-deep-inspection" set av-profile "test-av" set webfilter-profile "test_wf" set file-filter-profile "g-default" set ips-sensor "test_ips" set application-list "test_app" next end
Once the ZTNA client generates traffic, run the WAD debug commands on the FortiGate. The outgoing IP address should be from the IP pool.
To test the configuration:
# diagnose wad debug enable category all # diagnose wad debug enable level verbose # diagnose debug enable ... [V]2022-03-22 17:53:45.026384 [p:356][s:339191][r:50334048] wad_http_session_disconn_srv :1456 hcs=0x7f993d7877e8 http_svr=(nil) [I]2022-03-22 17:53:45.026387 [p:356][s:339191][r:50334048] wad_http_connect_original_server :6253 http ses=0x7f993d7877e8 req=0x7f993d610780 ses_ctx=0x7f993d759218 connect svr orig 10.1.100.118:61694->172.18.62.16:443 out 10.1.100.118:61694->172.18.62.16:443 [I]2022-03-22 17:53:45.026390 [p:356][s:339191][r:50334048] wad_http_upd_ses_ctx_by_req :838 wad http session 0x7f993d7877e8 forward (nil) fwd_srv_ip=0.0.0.0 [I]2022-03-22 17:53:45.026455 [p:356][s:339191][r:50334048] wad_ippool_get_ip :842 clt:10.1.100.118 got ip:172.16.200.102 from ip pool, logic/phy intf(27/27) [V]2022-03-22 17:53:45.026459 [p:356][s:339191][r:50334048] wad_http_connect_original_server :6268 [0x7f993d610780] Connect to server: 172.18.62.27:443/172.18.62.27:443 [I]2022-03-22 17:53:45.026461 [p:356][s:339191][r:50334048] wad_tcp_port_alloc :1434 alloc tcp_port=0x7f993ac55188 [V]2022-03-22 17:53:45.026470 [p:356][s:339191][r:50334048] wad_tcp_port_bind :527 tcp_port=0x7f993ac55188 src ip:172.16.200.102 is bind, create sess:1 [V]2022-03-22 17:53:45.026472 [p:356][s:339191][r:50334048] wad_tcp_port_connect_with_fd :2179 oif =27, src_addr_unkown=0 [I]2022-03-22 17:53:45.026495 [p:356][s:339191][r:50334048] wad_tcp_port_connect_with_fd :2221 TCP port=0x7f993ac55188 sock=63 vrf=0 connecting 172.16.200.102:12764->172.18.62.27:443 [V]2022-03-22 17:53:45.026506 [p:356][s:339191][r:50334048] wad_http_port_connect :1815 connect to SSL terminator. [V]2022-03-22 17:53:45.026509 [p:356][s:339191][r:50334048] wad_tcp_port_out_read_block :975 tcp_port 0x7f993ac55048 fd=62 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 state=2. [V]2022-03-22 17:53:45.026511 [p:356][s:339191][r:50334048] wad_tcp_port_transport_read_block :930 tcp_port 0x7f993ac55048 fd=62 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 events=0x1. [V]2022-03-22 17:53:45.026513 [p:356][s:339191][r:50334048] wad_tcp_port_transport_read_block :944 sock 62 read_block enforced, turn off readability.
Example 2: transparent mode
To configure transparent mode in a proxy policy:
config firewall proxy-policy edit 1 set name "ZTNA_R1" set proxy access-proxy set access-proxy "ZTNA_S1" set srcintf "port14" set srcaddr "all" set transparent enable set dstaddr "all" set ztna-ems-tag "FCTEMS8821000000_ems140_av_tag" set action accept set schedule "always" set logtraffic all set utm-status enable set ssl-ssh-profile "custom-deep-inspection" set av-profile "test-av" set webfilter-profile "test_wf" set file-filter-profile "g-default" set ips-sensor "test_ips" set application-list "test_app" next end
Once the ZTNA client generates traffic, run the WAD debug commands on the FortiGate. The client's address (10.1.100.118) should be used as the source IP address when connecting to the servers.
To test the configuration:
# diagnose wad debug enable category all # diagnose wad debug enable level verbose # diagnose debug enable ... [V]2022-03-22 18:11:34.968351 [p:356][s:343987][r:50334156] wad_http_connect_server :6363 http session 0x7f993d7877e8 req=0x7f993d611a60 [V]2022-03-22 18:11:34.968354 [p:356][s:343987][r:50334156] wad_http_srv_still_good :6135 srv((nil)) nontp(0) dst_type(3) req: dst:172.18.62.27:443, proto:10) hcs: dst:N/A:0, proto:1) [V]2022-03-22 18:11:34.968357 [p:356][s:343987][r:50334156] wad_http_session_disconn_srv :1456 hcs=0x7f993d7877e8 http_svr=(nil) [I]2022-03-22 18:11:34.968360 [p:356][s:343987][r:50334156] wad_http_connect_original_server :6253 http ses=0x7f993d7877e8 req=0x7f993d611a60 ses_ctx=0x7f993d758ec8 connect svr orig 10.1.100.118:62113->172.18.62.16:443 out 10.1.100.118:62113->172.18.62.16:443 [I]2022-03-22 18:11:34.968363 [p:356][s:343987][r:50334156] wad_http_upd_ses_ctx_by_req :838 wad http session 0x7f993d7877e8 forward (nil) fwd_srv_ip=0.0.0.0 [V]2022-03-22 18:11:34.968367 [p:356][s:343987][r:50334156] wad_http_connect_original_server :6268 [0x7f993d611a60] Connect to server: 172.18.62.27:443/172.18.62.27:443 [I]2022-03-22 18:11:34.968369 [p:356][s:343987][r:50334156] wad_tcp_port_alloc :1434 alloc tcp_port=0x7f993ac55908 [V]2022-03-22 18:11:34.968379 [p:356][s:343987][r:50334156] wad_tcp_port_bind :527 tcp_port=0x7f993ac55908 src ip:10.1.100.118 is bind, create sess:1 [V]2022-03-22 18:11:34.968381 [p:356][s:343987][r:50334156] wad_tcp_port_connect_with_fd :2179 oif =27, src_addr_unkown=0 [I]2022-03-22 18:11:34.968403 [p:356][s:343987][r:50334156] wad_tcp_port_connect_with_fd :2221 TCP port=0x7f993ac55908 sock=64 vrf=0 connecting 10.1.100.118:2182->172.18.62.27:443 [V]2022-03-22 18:11:34.968412 [p:356][s:343987][r:50334156] wad_http_port_connect :1815 connect to SSL terminator.