ZTNA rule configuration
In this step, we will add the LDAP-Finance user group to the ZTNA Deny Access policy for denying endpoints whose security is compromised. We will also create a rule to allow users who are logged into the FortiAD.Info domain and part of the LDAP-Finance user group to access the Finance server website.
To update the ZTNA Rule for denying access:
-
In FortiOS, go to Policy & Objects > ZTNA, click the ZTNA Rules tab.
-
Edit the ZTNA Deny Access rule.
-
In the Source list, add the User Group LDAP-Finance.
-
In the Destination list, add the Finance address object.
-
Click OK to complete.
To configure a ZTNA Rule for allowing access:
-
On the Policy & Objects > ZTNA > ZTNA Rules pane, click Create New.
-
In the Name box, enter
ZTNA-Finance
. -
In the Incoming Interface list, select WAN (port3).
-
In the Source list, select the following options:
-
For Address, select all.
-
For User, select LDAP-Finance.
-
-
In the ZTNA Tag list, select the FortiAD.Info tag.
-
In the ZTNA Server list, select ZTNA Webserver.
-
In the Destination list, select the address objects Finance.
-
Beside Action, select Accept.
-
Enable Security Profiles as desired.
-
In the Logging Options section, enable Log Allowed Traffic, and select All Sessions.
-
Enable Enable this policy.
-
Click OK to complete.