Fortinet black logo

EMS Administration Guide

Configuring encrypted ZTNA rules

Configuring encrypted ZTNA rules

FortiClient supports encryption and non-encryption modes for Zero Trust Network Access (ZTNA) via a toggle switch. You can manually add ZTNA rules in the FortiClient GUI or receive rules from EMS. This feature requires the prerequisites:

  • A Security Fabric connector between FortiOS and EMS must be configured.
  • FortiOS ZTNA-related settings must be configured properly. See ZTNA TCP forwarding access proxy example.
  • FortiClient must be registered to EMS.
  • You must add ZTNA rules in EMS or FortiClient.

The following shows the topology for the example configuration. In this topology, RDP access is configured to one server, and SSH access to another.

To configure ZTNA rules in EMS:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. Edit the desired profile.
  3. On the XML Configuration tab, add the following configuration:

    <ztna>

    <enabled>1</enabled>

    <rules>

    <rule>

    <name>RDP Forwarding</name>

    <destination>172.17.60.19:3389</destination>

    <gateway>192.168.139.102:8445</gateway>

    <encryption>1</encryption>

    <mode>transparent</mode>

    </rule>

    <rule>

    <name>SSH Forwarding</name>

    <destination>172.17.81.177:22</destination>

    <gateway>192.168.139.102:8445</gateway>

    <encryption>1</encryption>

    <mode>transparent</mode>

    </rule>

    </rules>

    </ztna>

  4. Save the configuration.

To configure ZTNA rules in FortiClient:
  1. In FortiClient, go to the ZTNA Connection Rules tab.
  2. Create the RDP forwarding rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter RDP Encryption Enabled.
    3. In the Destination Host field, enter 172.17.60.19:3389.
    4. In the Proxy Gateway field, enter 192.168.139.102:8445.
    5. For Mode, select Transparent.
    6. Select the Encryption checkbox.
  3. Create the SSH forwarding rule:
    1. Click Create.
    2. Click Add Rule.
    3. In the Rule Name field, enter SSH Encryption Enabled.
    4. In the Destination Host field, enter 172.17.81.177:22.
    5. In the Proxy Gateway field, enter 192.168.139.102:8445.
    6. For Mode, select Transparent.
    7. Select the Encryption Checkbox.
    8. Click Create.
To verify the configuration:
  1. Start an SSH connection to 172.17.81.177 via ZTNA.
  2. Run debug commands in FortiOS:

    diagnose wad debug enable category all

    diagnose wad debug enable level verbose

    diagnose debug enable

  3. Check the debug logs to verify whether encryption is enabled. When encryption is enabled, the debug logs contain the line GET tcpaddress=172.17.81.177&port=22&tls=1 HTTP1.1. When encryption is disabled, the debug logs contain the line GET tcpaddress=172.17.81.177&port=22&tls=0 HTTP1.1.

Configuring encrypted ZTNA rules

FortiClient supports encryption and non-encryption modes for Zero Trust Network Access (ZTNA) via a toggle switch. You can manually add ZTNA rules in the FortiClient GUI or receive rules from EMS. This feature requires the prerequisites:

  • A Security Fabric connector between FortiOS and EMS must be configured.
  • FortiOS ZTNA-related settings must be configured properly. See ZTNA TCP forwarding access proxy example.
  • FortiClient must be registered to EMS.
  • You must add ZTNA rules in EMS or FortiClient.

The following shows the topology for the example configuration. In this topology, RDP access is configured to one server, and SSH access to another.

To configure ZTNA rules in EMS:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. Edit the desired profile.
  3. On the XML Configuration tab, add the following configuration:

    <ztna>

    <enabled>1</enabled>

    <rules>

    <rule>

    <name>RDP Forwarding</name>

    <destination>172.17.60.19:3389</destination>

    <gateway>192.168.139.102:8445</gateway>

    <encryption>1</encryption>

    <mode>transparent</mode>

    </rule>

    <rule>

    <name>SSH Forwarding</name>

    <destination>172.17.81.177:22</destination>

    <gateway>192.168.139.102:8445</gateway>

    <encryption>1</encryption>

    <mode>transparent</mode>

    </rule>

    </rules>

    </ztna>

  4. Save the configuration.

To configure ZTNA rules in FortiClient:
  1. In FortiClient, go to the ZTNA Connection Rules tab.
  2. Create the RDP forwarding rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter RDP Encryption Enabled.
    3. In the Destination Host field, enter 172.17.60.19:3389.
    4. In the Proxy Gateway field, enter 192.168.139.102:8445.
    5. For Mode, select Transparent.
    6. Select the Encryption checkbox.
  3. Create the SSH forwarding rule:
    1. Click Create.
    2. Click Add Rule.
    3. In the Rule Name field, enter SSH Encryption Enabled.
    4. In the Destination Host field, enter 172.17.81.177:22.
    5. In the Proxy Gateway field, enter 192.168.139.102:8445.
    6. For Mode, select Transparent.
    7. Select the Encryption Checkbox.
    8. Click Create.
To verify the configuration:
  1. Start an SSH connection to 172.17.81.177 via ZTNA.
  2. Run debug commands in FortiOS:

    diagnose wad debug enable category all

    diagnose wad debug enable level verbose

    diagnose debug enable

  3. Check the debug logs to verify whether encryption is enabled. When encryption is enabled, the debug logs contain the line GET tcpaddress=172.17.81.177&port=22&tls=1 HTTP1.1. When encryption is disabled, the debug logs contain the line GET tcpaddress=172.17.81.177&port=22&tls=0 HTTP1.1.