VMware ESXi FortiGate-VM as ZTNA gateway
FortiOS supports deploying a VMware ESXi FortiGate-VM directly as a zero trust application gateway using the OVF template (.vapp). You can configure zero trust network access (ZTNA)-related parameters such as the EMS server, external and internal interface IP addresses, and the application server mapping, during OVF deployment. The deployment also bootstraps ZTNA policy, authentication scheme, rules, and user group configurations.
This enhancement introduces a new FortiGate-VM64-ZTNA-vapp.ovf file. With this file, you can configure all ZTNA-related parameters and the FGT-VM64 instance can act as a ZTNA gateway after bootstrapping. The file supports using FortiClient Cloud or on-premise EMS.
The example deployment is as follows:
- The FortiGate is deployed with the aforementioned addressing scheme.
- FortiClient Cloud is used.
- 10.6.30.67 is used for the HTTPS access proxy external IP address.
- The web sever 10.1.100.22 is configured for server mapping.
- A local user, mylocaluser, is created on the FortiGate and added to ztna_group.
- ztna_group is allowed ZTNA to the protected web server via basic authentication.
- This deployment does not use ZTNA tags for security posture check.
To deploy VMware ESXi FortiGate-VM as ZTNA gateway:
- Download the OVF package:
- In the Fortinet Customer Service & Support site, go to Support > Downloads > VM Images.
- From the Select Platform dropdown list, select VMWare ESXi.
- Download the file labeled as New deployment of FortiGate for VMware FGT_VM64-v7.4.0.F-buildXXXX-FORTINET.out.ovf.zip.
- Extract the zip file and locate the FortiGate-VM64-ZTNA.vapp.ovf file.
- In vSphere, create a new FGT-VM64 instance using the FortiGate-VM64-ZTNA.vapp.ovf file. You can configure the VM license file and all ZTNA-related parameters.
- After the FGT-VM64 boots up, go to Security Fabric > Fabric Connectors.
- Verify EMS. EMS authorizes the FortiGate.
You can run diagnose debug cloudinit show to view the cloudinit information after the FortiGate boots up:
FortiGate-VM # diagnose debug cloudinit show
>> Checking metadata source ovf
>> Cloudinit downloading the license:http://10.6.30.218/temp1.lic
>> Cloudinit download the license successfully
>> Found metadata source: ovf
>> Trying to install vmlicense ...
>> Run config script
>> FortiGate-VM $ config system global
>> FortiGate-VM (global) $ set gui-theme mariner
>> FortiGate-VM (global) $ set admintimeout 60
>> FortiGate-VM (global) $ end
>> FortiGate-VM $ config system admin
>> FortiGate-VM (admin) $ edit admin
>> FortiGate-VM (admin) $ config gui-dashboard
>> FortiGate-VM (gui-dashboard) $ edit 0
>> FortiGate-VM (0) $ set name "FortiView ZTNA Servers"
>> FortiGate-VM (0) $ set vdom root
>> FortiGate-VM (0) $ set layout-type standalone
>> FortiGate-VM (0) $ set csf disable
>> FortiGate-VM (0) $ config widget
>> FortiGate-VM (widget) $ edit 1
>> FortiGate-VM (1) $ set type fortiview
>> FortiGate-VM (1) $ set width 1
>> FortiGate-VM (1) $ set height 1
>> FortiGate-VM (1) $ set csf-device all
>> FortiGate-VM (1) $ set fortiview-type ztnaServer
>> FortiGate-VM (1) $ set fortiview-sort-by bytes
>> FortiGate-VM (1) $ set fortiview-timeframe 5min
>> FortiGate-VM (1) $ set fortiview-visualization table
>> FortiGate-VM (1) $ end
>> FortiGate-VM (0) $ end
>> FortiGate-VM (admin) $ end
>> FortiGate-VM $ config system settings
>> FortiGate-VM (settings) $ set gui-implicit-policy disable
>> FortiGate-VM (settings) $ set gui-dos-policy disable
>> FortiGate-VM (settings) $ set gui-dynamic-routing disable
>> FortiGate-VM (settings) $ set gui-threat-weight disable
>> FortiGate-VM (settings) $ set gui-file-filter disable
>> FortiGate-VM (settings) $ set gui-application-control disable
>> FortiGate-VM (settings) $ set gui-endpoint-control disable
>> command parse error before 'gui-endpoint-control'
>> Command fail. Return code -61
>> FortiGate-VM (settings) $ set gui-vpn disable
>> FortiGate-VM (settings) $ set gui-wireless-controller disable
>> FortiGate-VM (settings) $ set gui-traffic-shaping disable
>> FortiGate-VM (settings) $ set gui-webfilter disable
>> FortiGate-VM (settings) $ set gui-dnsfilter disable
>> FortiGate-VM (settings) $ set allow-subnet-overlap enable
>> FortiGate-VM (settings) $ end
>> FortiGate-VM $ config user local
>> FortiGate-VM (local) $ edit mylocaluser
>> FortiGate-VM (mylocaluser) $ set type password
>> FortiGate-VM (mylocaluser) $ set passwd <password>
>> FortiGate-VM (mylocaluser) $ next
>> FortiGate-VM (local) $ end
>> FortiGate-VM $ config user group
>> FortiGate-VM (group) $ edit ztna_group
>> FortiGate-VM (ztna_group) $ set member mylocaluser
>> FortiGate-VM (ztna_group) $ next
>> FortiGate-VM (group) $ end
>> FortiGate-VM $ config firewall address
>> FortiGate-VM (address) $ edit webserver1
>> FortiGate-VM (webserver1) $ set subnet 10.1.100.22 255.255.255.255
>> FortiGate-VM (webserver1) $ next
>> FortiGate-VM (address) $ end
>> FortiGate-VM $ config firewall vip
>> FortiGate-VM (vip) $ edit MyApplicationServer
>> FortiGate-VM (MyApplicationServer) $ set type access-proxy
>> FortiGate-VM (MyApplicationServer) $ set extip 10.6.30.67
>> FortiGate-VM (MyApplicationServer) $ set extintf port1
>> FortiGate-VM (MyApplicationServer) $ set server-type https
>> FortiGate-VM (MyApplicationServer) $ set extport 9443
>> FortiGate-VM (MyApplicationServer) $ set ssl-certificate Fortinet_SSL
>> FortiGate-VM (MyApplicationServer) $ next
>> FortiGate-VM (vip) $ end
>> FortiGate-VM $ config firewall access-proxy
>> FortiGate-VM (access-proxy) $ edit MyApplicationServer
>> FortiGate-VM (MyApplicationServer) $ set vip MyApplicationServer
>> FortiGate-VM (MyApplicationServer) $ config api-gateway
>> FortiGate-VM (api-gateway) $ edit 1
>> FortiGate-VM (1) $ config realservers
>> FortiGate-VM (realservers) $ edit 1
>> FortiGate-VM (1) $ set ip 10.1.100.22
>> FortiGate-VM (1) $ next
>> FortiGate-VM (realservers) $ end
>> FortiGate-VM (1) $ next
>> FortiGate-VM (api-gateway) $ end
>> FortiGate-VM (MyApplicationServer) $ next
>> FortiGate-VM (access-proxy) $ end
>> FortiGate-VM $ config firewall proxy-policy
>> FortiGate-VM (proxy-policy) $ edit 1
>> FortiGate-VM (1) $ set name ZTNA-Web-Server
>> FortiGate-VM (1) $ set proxy access-proxy
>> FortiGate-VM (1) $ set access-proxy MyApplicationServer
>> FortiGate-VM (1) $ set srcintf port1
>> FortiGate-VM (1) $ set srcaddr all
>> FortiGate-VM (1) $ set dstaddr webserver1
>> FortiGate-VM (1) $ set action accept
>> FortiGate-VM (1) $ set schedule always
>> FortiGate-VM (1) $ set logtraffic all
>> FortiGate-VM (1) $ set groups ztna_group
>> FortiGate-VM (1) $ next
>> FortiGate-VM (proxy-policy) $ end
>> FortiGate-VM $ config authentication scheme
>> FortiGate-VM (scheme) $ edit ZTNA
>> FortiGate-VM (ZTNA) $ set method basic
>> FortiGate-VM (ZTNA) $ set user-database local-user-db
>> FortiGate-VM (ZTNA) $ next
>> FortiGate-VM (scheme) $ end
>> FortiGate-VM $ config authentication rule
>> FortiGate-VM (rule) $ edit ZTNA
>> FortiGate-VM (ZTNA) $ set srcintf port1
>> FortiGate-VM (ZTNA) $ set srcaddr all
>> FortiGate-VM (ZTNA) $ set ip-based disable
>> FortiGate-VM (ZTNA) $ set active-auth-method ZTNA
>> FortiGate-VM (ZTNA) $ next
>> FortiGate-VM (rule) $ end
>> FortiGate-VM $ config endpoint-control fctems
>> FortiGate-VM (fctems) $ edit 1
>> FortiGate-VM (1) $ set name ems-cloud
>> FortiGate-VM (1) $ set status enable
>> FortiGate-VM (1) $ set fortinetone-cloud-authentication enable
>> FortiGate-VM (1) $ next
>> The configuration will not be effective unless server certificate is verified.
>> You can get and verify server certificate by the following command:
>> "execute fctems verify 1" (ems table id)
>> FortiGate-VM (fctems) $ end
>> Finish running config script