Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

ZTNA rule configuration

ZTNA rule configuration

Once the servers, authentication scheme and rules are configured, we will create ZTNA rules to control access. To recap, ZTNA rules help control access by defining users and ZTNA tags to perform user authentication and security posture checks. And just like firewall policies, you can granularly control the source and destination addresses, and apply appropriate security profiles to scan the traffic.

In this step, we will create a rule to deny endpoints whose security is compromised, identified by the presence of the Critical_Vulnerabilities tag. We will create a rule to allow users who are logged into the FortiAD.Info domain, identified by the presence of the FortiAD.Info tag. We will apply the policies for the existing LDAP-Administrators group, which is used in the SSL VPN policy.

To configure a ZTNA Rule for denying access:

  1. In FortiOS, go to Policy & Objects > ZTNA, click the ZTNA Rules tab.

  2. Click Create New to create a new rule.

  3. In the Name box, type ZTNA Deny Access.

  4. In the Incoming Interface list, select WAN (port3).

  5. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Administrators.

      Note

      When you define a user group, users would need to be authenticated first before their ZTNA tag is checked. The advantage is the username will be recorded in the violation log.

  6. In the ZTNA Tag list, select the Critical_Vulnerabilities tag.

  7. In the ZTNA Server list, select ZTNA Webserver.

  8. In the Destination list, select the address objects EMS, FAC and FAZ.

  9. Beside Action, select Deny.

  10. Enable Log Violation Traffic.

  11. Enable Enable this policy.

  12. Click OK to complete.

To configure a ZTNA Rule for allowing access:

  1. On the Policy & Objects > ZTNA > ZTNA Rules pane, click Create New.

  2. In the Name box, enter ZTNA-Administrators.

  3. In the Incoming Interface list, select WAN (port3).

  4. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Administrators.

  5. In the ZTNA Tag list, select the FortiAD.Info tag.

  6. In the ZTNA Server list, select ZTNA Webserver.

  7. In the Destination list, select the address objects EMS, FAC and FAZ.

  8. Beside Action, select Accept.

  9. Enable Security Profiles as desired.

  10. In the Logging Options section, enable Log Allowed Traffic, and select All Sessions.

  11. Enable Enable this policy.

  12. Click OK to complete.

Previous
Next

ZTNA rule configuration

Once the servers, authentication scheme and rules are configured, we will create ZTNA rules to control access. To recap, ZTNA rules help control access by defining users and ZTNA tags to perform user authentication and security posture checks. And just like firewall policies, you can granularly control the source and destination addresses, and apply appropriate security profiles to scan the traffic.

In this step, we will create a rule to deny endpoints whose security is compromised, identified by the presence of the Critical_Vulnerabilities tag. We will create a rule to allow users who are logged into the FortiAD.Info domain, identified by the presence of the FortiAD.Info tag. We will apply the policies for the existing LDAP-Administrators group, which is used in the SSL VPN policy.

To configure a ZTNA Rule for denying access:

  1. In FortiOS, go to Policy & Objects > ZTNA, click the ZTNA Rules tab.

  2. Click Create New to create a new rule.

  3. In the Name box, type ZTNA Deny Access.

  4. In the Incoming Interface list, select WAN (port3).

  5. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Administrators.

      Note

      When you define a user group, users would need to be authenticated first before their ZTNA tag is checked. The advantage is the username will be recorded in the violation log.

  6. In the ZTNA Tag list, select the Critical_Vulnerabilities tag.

  7. In the ZTNA Server list, select ZTNA Webserver.

  8. In the Destination list, select the address objects EMS, FAC and FAZ.

  9. Beside Action, select Deny.

  10. Enable Log Violation Traffic.

  11. Enable Enable this policy.

  12. Click OK to complete.

To configure a ZTNA Rule for allowing access:

  1. On the Policy & Objects > ZTNA > ZTNA Rules pane, click Create New.

  2. In the Name box, enter ZTNA-Administrators.

  3. In the Incoming Interface list, select WAN (port3).

  4. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Administrators.

  5. In the ZTNA Tag list, select the FortiAD.Info tag.

  6. In the ZTNA Server list, select ZTNA Webserver.

  7. In the Destination list, select the address objects EMS, FAC and FAZ.

  8. Beside Action, select Accept.

  9. Enable Security Profiles as desired.

  10. In the Logging Options section, enable Log Allowed Traffic, and select All Sessions.

  11. Enable Enable this policy.

  12. Click OK to complete.

Previous
Next