Explicitly deny access for devices with Critical Vulnerabilities

Just like ZTNA access, a Deny rule should be set up to explicitly deny traffic when a device is detected and tagged with Critical Vulnerabilities. In our example, we enable user authentication in order to identify the specific users that are detected, and we’ll limit this rule to destination servers defined in ZTNA.

To create a Deny rule for On-net users from port1 (Clients_LAN) to port2 (DMZ):

In FortiOS, go to Policy & Objects > Firewall Policy. Click Create New.
Name the rule Deny-vuln-on-net.
In the Incoming interface, select port1.
In the Outgoing interface, select port2.
In the Source list:
- Select the Address all.
- Add the User Groups LDAP-Administrators, LDAP-Finance and LDAP-Sales.
In the IP/MAC Based Access Control field, add the Critical_Vulnerabilities tag.
In the Destination list, add the EMS, FAC, FAZ, Finance and Webserver address objects.
Set the Service to ALL.
Set the Action to DENY.
Enable Log Violation Traffic.
Click OK to complete.
Place this rule in front of the existing to_DMZ_webservers firewall policy.

Explicitly deny access for devices with Critical Vulnerabilities

To create a Deny rule for On-net users from port1 (Clients_LAN) to port2 (DMZ):

In FortiOS, go to Policy & Objects > Firewall Policy. Click Create New.
Name the rule Deny-vuln-on-net.
In the Incoming interface, select port1.
In the Outgoing interface, select port2.
In the Source list:
- Select the Address all.
- Add the User Groups LDAP-Administrators, LDAP-Finance and LDAP-Sales.
In the IP/MAC Based Access Control field, add the Critical_Vulnerabilities tag.
In the Destination list, add the EMS, FAC, FAZ, Finance and Webserver address objects.
Set the Service to ALL.
Set the Action to DENY.
Enable Log Violation Traffic.
Click OK to complete.
Place this rule in front of the existing to_DMZ_webservers firewall policy.