Fortinet black logo

EMS Administration Guide

FortiGate ZTNA service portal support

FortiGate ZTNA service portal support

In FortiOS 7.2.1, the ZTNA service portal was added to allow the FortiGate to publish ZTNA services directly to FortiClients. This allows the FortiClient to retrieve the list of ZTNA services directly through the service portal without them being pushed from the FortiClient EMS.

The following demonstrates how EMS can provision a ZTNA service portal gateway list to FortiClient, which consists of the address to the FortiGate access portal(s). Once the FortiClient connects to the service portal gateway, it can retrieve the ZTNA service list containing a list of applications being published by the FortiGate.

To configure the ZTNA service portal in FortiOS:
config firewall vip
    edit "ztna_proxy"
        set type access-proxy
        set extip 192.168.3.101
        set extintf "port2"
        set server-type https
        set extport 4443
        set ssl-certificate "Fortinet_SSL"
    next
end
config firewall access-proxy
    edit "Ztna_SaaS"
        set vip "ztna_proxy"
        set log-blocked-traffic enable
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "smb_rdp_servers_range"
                        set mappedport 445 3389-3390
                    next
                    edit 2
                        set address "ssh server"
                        set mappedport 22
                    next
                end
            next
            edit 2
                set url-map "saas"
                set service saas
                set application "dropbox" "zoom" "Google"
            next
        end
    next
end
config firewall proxy-policy
    edit 2
        set uuid b680d4a6-4fdc-51ed-8fd7-c6f19c3b39c5
        set name "deny"
        set proxy access-proxy
        set access-proxy "Ztna_SaaS"
        set srcintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "EMS1_ZTNA_subnet1"
        set schedule "always"
        set logtraffic disable
    next
    edit 1
        set uuid 7aa5d142-45b0-51ed-1c02-b2c78813cd31
        set name "ZTNA_Rule_SaaS"
        set proxy access-proxy
        set access-proxy "Ztna_SaaS"
        set srcintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "EMS1_ZTNA_subnet2"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end

The FortiGate ZTNA access portal is reachable on 192.168.3.101:4443, and it publishes a set of TCP forwarding services to SMB, RDP and SSH servers as well as SaaS applications in the Cloud. The ZTNA policies block endpoints with ZTNA tag belonging to subnet1, while allow endpoints with ZTNA tag belonging to subnet2 to access the services and applications.

To configure EMS to push the ZTNA access portal gateway to managed endpoints:
  1. In EMS, go to Endpoint Profiles > ZTNA Destinations.
  2. Select an existing profile and click Edit or add a new profile.
  3. Switch the view from Basic to XML. Click Edit to edit the XML content.
  4. Configure the ZTNA access portal gateway settings as follows. This example adds a second portal for demonstration purposes.

    <?xml version="1.0" ?> <forticlient_configuration> <ztna> <enabled>1</enabled> <allow_personal_rules>1</allow_personal_rules> <rules/> <portals> <portal> <addr>192.168.3.101:4443</addr> <query_interval_m>3</query_interval_m> </portal> <portal> <addr>172.17.80.3:8443</addr> <query_interval_m>3</query_interval_m> </portal> </portals> </ztna> <endpoint_control> <ui> <display_ztna>0</display_ztna> </ui> </endpoint_control> </forticlient_configuration>

  5. Save the profile. EMS automatically pushes the service portal addresses to managed FortiClient endpoints.
To verify FortiClient received the service portal and retrieved a list of ZTNA services:
  1. On the PC, open FortiClient. On the ZTNA Destination tab, confirm that there is no destination added for the service portal or ZTNA services and applications.
  2. Open the computer’s registry, and go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_ZTNA. The ZTNA access portal addresses are added as portal1 and portal2. When multiple portals are configured, FortiClient selects the portal with lower latency to learn the ZTNA services.

  3. Using FortiClient’s Fortitcs logs, further verify that FortiClient retrieved the list of ZTNA services from the FortiGate service portal. This set of ZTNA rules are stored in memory and refreshes each time FortiClient queries the service portal:

    "vips": [ { "gateways": [ { "path": "/tcp", "path-pattern": "sub-string", "servers": [ { "address": { "type": "ip-range", "value": [ { "end": "172.16.1.10", "start": "172.16.1.1" } ] }, "mappedport": [ { "end": "445", "start": "445" }, { "end": "3390", "start": "3389" } ] }, { "address": { "type": "ip", "value": [ { "ip": "172.16.1.3", "mask": "255.255.255.255" } ] }, "mappedport": [ { "end": "22", "start": "22" } ] } ], "type": "tcp-fwd", "virtual-host": "" }, { "applications": [ { "app": "dropbox" }, { "app": "zoom" }, { "grp": "Google" } ], "path": "saas", "path-pattern": "sub-string", "type": "saas", "virtual-host": "" } ], "vip": "192.168.3.101:4443" } ] }

    Users can now access the ZTNA destination services and applications.

FortiGate ZTNA service portal support

In FortiOS 7.2.1, the ZTNA service portal was added to allow the FortiGate to publish ZTNA services directly to FortiClients. This allows the FortiClient to retrieve the list of ZTNA services directly through the service portal without them being pushed from the FortiClient EMS.

The following demonstrates how EMS can provision a ZTNA service portal gateway list to FortiClient, which consists of the address to the FortiGate access portal(s). Once the FortiClient connects to the service portal gateway, it can retrieve the ZTNA service list containing a list of applications being published by the FortiGate.

To configure the ZTNA service portal in FortiOS:
config firewall vip
    edit "ztna_proxy"
        set type access-proxy
        set extip 192.168.3.101
        set extintf "port2"
        set server-type https
        set extport 4443
        set ssl-certificate "Fortinet_SSL"
    next
end
config firewall access-proxy
    edit "Ztna_SaaS"
        set vip "ztna_proxy"
        set log-blocked-traffic enable
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "smb_rdp_servers_range"
                        set mappedport 445 3389-3390
                    next
                    edit 2
                        set address "ssh server"
                        set mappedport 22
                    next
                end
            next
            edit 2
                set url-map "saas"
                set service saas
                set application "dropbox" "zoom" "Google"
            next
        end
    next
end
config firewall proxy-policy
    edit 2
        set uuid b680d4a6-4fdc-51ed-8fd7-c6f19c3b39c5
        set name "deny"
        set proxy access-proxy
        set access-proxy "Ztna_SaaS"
        set srcintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "EMS1_ZTNA_subnet1"
        set schedule "always"
        set logtraffic disable
    next
    edit 1
        set uuid 7aa5d142-45b0-51ed-1c02-b2c78813cd31
        set name "ZTNA_Rule_SaaS"
        set proxy access-proxy
        set access-proxy "Ztna_SaaS"
        set srcintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "EMS1_ZTNA_subnet2"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end

The FortiGate ZTNA access portal is reachable on 192.168.3.101:4443, and it publishes a set of TCP forwarding services to SMB, RDP and SSH servers as well as SaaS applications in the Cloud. The ZTNA policies block endpoints with ZTNA tag belonging to subnet1, while allow endpoints with ZTNA tag belonging to subnet2 to access the services and applications.

To configure EMS to push the ZTNA access portal gateway to managed endpoints:
  1. In EMS, go to Endpoint Profiles > ZTNA Destinations.
  2. Select an existing profile and click Edit or add a new profile.
  3. Switch the view from Basic to XML. Click Edit to edit the XML content.
  4. Configure the ZTNA access portal gateway settings as follows. This example adds a second portal for demonstration purposes.

    <?xml version="1.0" ?> <forticlient_configuration> <ztna> <enabled>1</enabled> <allow_personal_rules>1</allow_personal_rules> <rules/> <portals> <portal> <addr>192.168.3.101:4443</addr> <query_interval_m>3</query_interval_m> </portal> <portal> <addr>172.17.80.3:8443</addr> <query_interval_m>3</query_interval_m> </portal> </portals> </ztna> <endpoint_control> <ui> <display_ztna>0</display_ztna> </ui> </endpoint_control> </forticlient_configuration>

  5. Save the profile. EMS automatically pushes the service portal addresses to managed FortiClient endpoints.
To verify FortiClient received the service portal and retrieved a list of ZTNA services:
  1. On the PC, open FortiClient. On the ZTNA Destination tab, confirm that there is no destination added for the service portal or ZTNA services and applications.
  2. Open the computer’s registry, and go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_ZTNA. The ZTNA access portal addresses are added as portal1 and portal2. When multiple portals are configured, FortiClient selects the portal with lower latency to learn the ZTNA services.

  3. Using FortiClient’s Fortitcs logs, further verify that FortiClient retrieved the list of ZTNA services from the FortiGate service portal. This set of ZTNA rules are stored in memory and refreshes each time FortiClient queries the service portal:

    "vips": [ { "gateways": [ { "path": "/tcp", "path-pattern": "sub-string", "servers": [ { "address": { "type": "ip-range", "value": [ { "end": "172.16.1.10", "start": "172.16.1.1" } ] }, "mappedport": [ { "end": "445", "start": "445" }, { "end": "3390", "start": "3389" } ] }, { "address": { "type": "ip", "value": [ { "ip": "172.16.1.3", "mask": "255.255.255.255" } ] }, "mappedport": [ { "end": "22", "start": "22" } ] } ], "type": "tcp-fwd", "virtual-host": "" }, { "applications": [ { "app": "dropbox" }, { "app": "zoom" }, { "grp": "Google" } ], "path": "saas", "path-pattern": "sub-string", "type": "saas", "virtual-host": "" } ], "vip": "192.168.3.101:4443" } ] }

    Users can now access the ZTNA destination services and applications.