Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

ZTNA rule configuration

ZTNA rule configuration

In this step, we will add the LDAP-Finance user group to the ZTNA Deny Access policy for denying endpoints whose security is compromised. We will also create a rule to allow users who are logged into the FortiAD.Info domain and part of the LDAP-Finance user group to access the Finance server website.

To update the ZTNA Rule for denying access:

  1. In FortiOS, go to Policy & Objects > ZTNA, click the ZTNA Rules tab.

  2. Edit the ZTNA Deny Access rule.

  3. In the Source list, add the User Group LDAP-Finance.

  4. In the Destination list, add the Finance address object.

  5. Click OK to complete.

To configure a ZTNA Rule for allowing access:

  1. On the Policy & Objects > ZTNA > ZTNA Rules pane, click Create New.

  2. In the Name box, enter ZTNA-Finance.

  3. In the Incoming Interface list, select WAN (port3).

  4. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Finance.

  5. In the ZTNA Tag list, select the FortiAD.Info tag.

  6. In the ZTNA Server list, select ZTNA Webserver.

  7. In the Destination list, select the address objects Finance.

  8. Beside Action, select Accept.

  9. Enable Security Profiles as desired.

  10. In the Logging Options section, enable Log Allowed Traffic, and select All Sessions.

  11. Enable Enable this policy.

  12. Click OK to complete.

Previous
Next

ZTNA rule configuration

In this step, we will add the LDAP-Finance user group to the ZTNA Deny Access policy for denying endpoints whose security is compromised. We will also create a rule to allow users who are logged into the FortiAD.Info domain and part of the LDAP-Finance user group to access the Finance server website.

To update the ZTNA Rule for denying access:

  1. In FortiOS, go to Policy & Objects > ZTNA, click the ZTNA Rules tab.

  2. Edit the ZTNA Deny Access rule.

  3. In the Source list, add the User Group LDAP-Finance.

  4. In the Destination list, add the Finance address object.

  5. Click OK to complete.

To configure a ZTNA Rule for allowing access:

  1. On the Policy & Objects > ZTNA > ZTNA Rules pane, click Create New.

  2. In the Name box, enter ZTNA-Finance.

  3. In the Incoming Interface list, select WAN (port3).

  4. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Finance.

  5. In the ZTNA Tag list, select the FortiAD.Info tag.

  6. In the ZTNA Server list, select ZTNA Webserver.

  7. In the Destination list, select the address objects Finance.

  8. Beside Action, select Accept.

  9. Enable Security Profiles as desired.

  10. In the Logging Options section, enable Log Allowed Traffic, and select All Sessions.

  11. Enable Enable this policy.

  12. Click OK to complete.

Previous
Next