Fortinet black logo

EMS Administration Guide

Inline CASB solution for SaaS applications

Inline CASB solution for SaaS applications

When protecting SaaS applications, one difficulty is to dynamically identify the addresses and locations of various SaaS services. With the FortiGuard Inline CASB Database (ICDB) introduced in FortiOS 7.2.1, both FortiGate and FortiClient can access this database to determine popular SaaS application addresses.

In this example, FortiGate publishes the SaaS applications Dropbox, Zoom and the Microsoft application group to its ZTNA service portal. EMS pushes the address of the FortiGate service portal to FortiClient. FortiClient then learns the SaaS applications that are published and builds local ZTNA rules for the SaaS application addresses in memory. When an end user tries to access Dropbox while FortiClient is registered to EMS, the traffic is forwarded to the FortiGate ZTNA application gateway where a ZTNA policy allows the access. When an end user is not registered or does not have the proper ZTNA tag required by FortiGate’s ZTNA policy, the traffic is blocked.

To configure the ZTNA service portal in FortiOS:
config firewall vip
 edit "ztna_proxy"
        set type access-proxy
        set extip 172.17.80.245
        set extintf "port1"
        set server-type https
        set extport 4443
        set ssl-certificate "Fortinet_SSL"
    next
end
config firewall access-proxy  
edit "Ztna_SaaS"
        set vip "ztna_proxy"
        set auth-portal enable
        set log-blocked-traffic enable
        config api-gateway
            edit 1
                set url-map "saas"
                set service saas
                set application "dropbox" "zoom" "MS"
            next
        end
config firewall proxy-policy
    edit 3
        set name "ZTNA Saas"
        set proxy access-proxy
        set access-proxy "Ztna_SaaS"
        set srcintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "EMS1_ZTNA_ZTNA SAAS"
        set action accept
        set schedule "always"
    next
end
To configure EMS to push ZTNA access portal gateway settings to managed endpoints:
  1. In EMS, go to Endpoint Profiles > ZTNA Destinations.
  2. Select an existing profile and click Edit or add a new profile.
  3. Switch the view from Basic to XML. Click Edit to edit the XML content.
  4. Configure the ZTNA access portal gateway settings as follows. This example adds a second portal for demonstration purposes.

    <?xml version="1.0" ?> <forticlient_configuration> <ztna> <enabled>1</enabled> <allow_personal_rules>1</allow_personal_rules> <rules/> <portals> <portal> <addr>172.17.80.245:4443</addr> <query_interval_m>5</query_interval_m> </portal> </portals> </ztna> <endpoint_control> <ui> <display_ztna>0</display_ztna> </ui> </endpoint_control> </forticlient_configuration>

  5. Save the profile. EMS automatically pushes the service portal addresses to managed FortiClient endpoints.
To verify a registered FortiClient endpoint can access Dropbox:
  1. On a remote PC that has FortiClient installed, ensure that it is registered to FortiClient EMS. Also ensure that it has the ZTNA tag needed for access, in this case the ZTNA SaaS tag.
  2. Use the steps inTo verify FortiClient received the service portal and retrieved a list of ZTNA services: to verify the service portal address is added to registry and FortiClient learned the SaaS application services from the FortiGate.
  3. In a browser, go to dropbox.com. Access is granted.
  4. From the FortiClient ZTNA log (/Application Support/Fortinet/FortiClient/Logs/ztna.log), note the connections to the FortiGate application gateway address of 172.17.80.245:4443.

  5. From the FortiGate, view the access logs from Log & Report > ZTNA Traffic.

  6. Alternatively, use the following commands to display ZTNA logs:

    Fortigate# exec log filter category 0 Fortigate# exec log filter field subtype ztna Fortigate# exec log display 1: date=2022-12-02 time=11:53:21 eventtime=1670010801641703801 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=172.17.80.70 srcport=50677 srcintf="port1" srcintfrole="lan" dstcountry="Canada" srccountry="Reserved" dstip=23.11.240.246 dstport=443 dstintf="port1" dstintfrole="lan" sessionid=210454 service="HTTPS" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="5c072b96-70da-51ed-d2d9-2c1aaf2417bc" policyname="ZTNA Saas" duration=125 gatewayid=1 vip="ztna_proxy" accessproxy="Ztna_SaaS" clientdeviceid="4553FF07359B5B6AADD4DD75421E9C5A" saasname="dropbox" clientdevicetags="on-line/MAC_EMS1_CLASS_Low/EMS1_CLASS_Low/MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients" wanin=425 rcvdbyte=425 wanout=1209 lanin=3980 sentbyte=3980 lanout=2607 fctuid="4553FF07359B5B6AADD4DD75421E9C5A" appcat="unscanned"

To verify an unregistered FortiClient endpoint cannot access Dropbox:
  1. On the same PC, open FortiClient. On the Zero Trust Telemetry tab, disconnect from EMS.
  2. In a new browser window, go to dropbox.com. The browser cannot load the page.
  3. From the FortiClient ZTNA log (/Application Support/Fortinet/FortiClient/Logs/ztna.log), notice that connection fails when FortiClient tries to connect to the FortiGate application gateway. FortiGate automatically closes the connection when the traffic fails to match any ZTNA policy.

  4. From the FortiGate, view the access logs from Log & Report > ZTNA Traffic.

  5. Alternatively, use the following commands to display ZTNA logs:

    Fortigate# exec log filter category 0 Fortigate# exec log filter field subtype ztna Fortigate# exec log display 1. date=2022-12-02 time=12:11:04 eventtime=1670011864162361201 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=172.17.80.70 srcport=51283 srcintf="port1" srcintfrole="lan" dstcountry="Reserved" srccountry="Reserved" dstip=172.17.80.245 dstport=4443 dstintf="root" dstintfrole="undefined" sessionid=4119 service="tcp/4443" proto=6 action="deny" policyid=0 policytype="proxy-policy" duration=0 vip="ztna_proxy" accessproxy="Ztna_SaaS" clientdeviceid="4553FF07359B5B6AADD4DD75421E9C5A" saasname="dropbox" clientdevicetags="offline/MAC_EMS1_CLASS_Low/EMS1_CLASS_Low" msg="Denied: failed to match a proxy-policy" wanin=0 rcvdbyte=0 wanout=0 lanin=2761 sentbyte=2761 lanout=2050 fctuid="4553FF07359B5B6AADD4DD75421E9C5A" appcat="unscanned" crscore=30 craction=131072 crlevel="high"

Related Videos

sidebar video

What's New in FortiClient EMS 7.2

  • 967 views
  • 10 months ago

Inline CASB solution for SaaS applications

When protecting SaaS applications, one difficulty is to dynamically identify the addresses and locations of various SaaS services. With the FortiGuard Inline CASB Database (ICDB) introduced in FortiOS 7.2.1, both FortiGate and FortiClient can access this database to determine popular SaaS application addresses.

In this example, FortiGate publishes the SaaS applications Dropbox, Zoom and the Microsoft application group to its ZTNA service portal. EMS pushes the address of the FortiGate service portal to FortiClient. FortiClient then learns the SaaS applications that are published and builds local ZTNA rules for the SaaS application addresses in memory. When an end user tries to access Dropbox while FortiClient is registered to EMS, the traffic is forwarded to the FortiGate ZTNA application gateway where a ZTNA policy allows the access. When an end user is not registered or does not have the proper ZTNA tag required by FortiGate’s ZTNA policy, the traffic is blocked.

To configure the ZTNA service portal in FortiOS:
config firewall vip
 edit "ztna_proxy"
        set type access-proxy
        set extip 172.17.80.245
        set extintf "port1"
        set server-type https
        set extport 4443
        set ssl-certificate "Fortinet_SSL"
    next
end
config firewall access-proxy  
edit "Ztna_SaaS"
        set vip "ztna_proxy"
        set auth-portal enable
        set log-blocked-traffic enable
        config api-gateway
            edit 1
                set url-map "saas"
                set service saas
                set application "dropbox" "zoom" "MS"
            next
        end
config firewall proxy-policy
    edit 3
        set name "ZTNA Saas"
        set proxy access-proxy
        set access-proxy "Ztna_SaaS"
        set srcintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "EMS1_ZTNA_ZTNA SAAS"
        set action accept
        set schedule "always"
    next
end
To configure EMS to push ZTNA access portal gateway settings to managed endpoints:
  1. In EMS, go to Endpoint Profiles > ZTNA Destinations.
  2. Select an existing profile and click Edit or add a new profile.
  3. Switch the view from Basic to XML. Click Edit to edit the XML content.
  4. Configure the ZTNA access portal gateway settings as follows. This example adds a second portal for demonstration purposes.

    <?xml version="1.0" ?> <forticlient_configuration> <ztna> <enabled>1</enabled> <allow_personal_rules>1</allow_personal_rules> <rules/> <portals> <portal> <addr>172.17.80.245:4443</addr> <query_interval_m>5</query_interval_m> </portal> </portals> </ztna> <endpoint_control> <ui> <display_ztna>0</display_ztna> </ui> </endpoint_control> </forticlient_configuration>

  5. Save the profile. EMS automatically pushes the service portal addresses to managed FortiClient endpoints.
To verify a registered FortiClient endpoint can access Dropbox:
  1. On a remote PC that has FortiClient installed, ensure that it is registered to FortiClient EMS. Also ensure that it has the ZTNA tag needed for access, in this case the ZTNA SaaS tag.
  2. Use the steps inTo verify FortiClient received the service portal and retrieved a list of ZTNA services: to verify the service portal address is added to registry and FortiClient learned the SaaS application services from the FortiGate.
  3. In a browser, go to dropbox.com. Access is granted.
  4. From the FortiClient ZTNA log (/Application Support/Fortinet/FortiClient/Logs/ztna.log), note the connections to the FortiGate application gateway address of 172.17.80.245:4443.

  5. From the FortiGate, view the access logs from Log & Report > ZTNA Traffic.

  6. Alternatively, use the following commands to display ZTNA logs:

    Fortigate# exec log filter category 0 Fortigate# exec log filter field subtype ztna Fortigate# exec log display 1: date=2022-12-02 time=11:53:21 eventtime=1670010801641703801 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=172.17.80.70 srcport=50677 srcintf="port1" srcintfrole="lan" dstcountry="Canada" srccountry="Reserved" dstip=23.11.240.246 dstport=443 dstintf="port1" dstintfrole="lan" sessionid=210454 service="HTTPS" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="5c072b96-70da-51ed-d2d9-2c1aaf2417bc" policyname="ZTNA Saas" duration=125 gatewayid=1 vip="ztna_proxy" accessproxy="Ztna_SaaS" clientdeviceid="4553FF07359B5B6AADD4DD75421E9C5A" saasname="dropbox" clientdevicetags="on-line/MAC_EMS1_CLASS_Low/EMS1_CLASS_Low/MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients" wanin=425 rcvdbyte=425 wanout=1209 lanin=3980 sentbyte=3980 lanout=2607 fctuid="4553FF07359B5B6AADD4DD75421E9C5A" appcat="unscanned"

To verify an unregistered FortiClient endpoint cannot access Dropbox:
  1. On the same PC, open FortiClient. On the Zero Trust Telemetry tab, disconnect from EMS.
  2. In a new browser window, go to dropbox.com. The browser cannot load the page.
  3. From the FortiClient ZTNA log (/Application Support/Fortinet/FortiClient/Logs/ztna.log), notice that connection fails when FortiClient tries to connect to the FortiGate application gateway. FortiGate automatically closes the connection when the traffic fails to match any ZTNA policy.

  4. From the FortiGate, view the access logs from Log & Report > ZTNA Traffic.

  5. Alternatively, use the following commands to display ZTNA logs:

    Fortigate# exec log filter category 0 Fortigate# exec log filter field subtype ztna Fortigate# exec log display 1. date=2022-12-02 time=12:11:04 eventtime=1670011864162361201 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=172.17.80.70 srcport=51283 srcintf="port1" srcintfrole="lan" dstcountry="Reserved" srccountry="Reserved" dstip=172.17.80.245 dstport=4443 dstintf="root" dstintfrole="undefined" sessionid=4119 service="tcp/4443" proto=6 action="deny" policyid=0 policytype="proxy-policy" duration=0 vip="ztna_proxy" accessproxy="Ztna_SaaS" clientdeviceid="4553FF07359B5B6AADD4DD75421E9C5A" saasname="dropbox" clientdevicetags="offline/MAC_EMS1_CLASS_Low/EMS1_CLASS_Low" msg="Denied: failed to match a proxy-policy" wanin=0 rcvdbyte=0 wanout=0 lanin=2761 sentbyte=2761 lanout=2050 fctuid="4553FF07359B5B6AADD4DD75421E9C5A" appcat="unscanned" crscore=30 craction=131072 crlevel="high"