ZTNA IP MAC filtering example
In this example, firewall policies in ZTNA IP/MAC filtering mode are configured that use ZTNA tags to control access between on-net devices and an internal web server. This mode does not require the use of the access proxy, and only uses ZTNA tags for access control. Traffic is passed when the FortiClient endpoint is tagged as Low risk only. Traffic is denied when the FortiClient endpoint is tagged with Malicious-File-Detected.
This example assumes that the FortiGate EMS fabric connector is already successfully connected.
To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust Network Access. |
To configure a Zero Trust tagging rule on the FortiClient EMS:
-
Log in to the FortiClient EMS.
-
Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add.
-
In the Name field, enter Malicious-File-Detected.
-
In the Tag Endpoint As dropdown list, select Malicious-File-Detected.
EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.
-
Click Add Rule then configure the rule:
-
For OS, select Windows.
-
From the Rule Type dropdown list, select File and click the + button.
-
Enter a file name, such as C:\virus.txt.
-
Click Save.
-
-
Click Save.
To configure a firewall policy in ZTNA IP/MAC filtering mode to block access in the GUI:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Set Name to block-internal-malicious-access.
-
Enable ZTNA and select IP/MAC filtering.
-
Set ZTNA Tag to Malicious-File-Detected.
-
Set Incoming Interface to default.35.
-
Set Outgoing Interface to port3.
-
Set Source and Destination to all.
-
Set Service to ALL.
-
Set Action to DENY.
-
Enable Log Violation Traffic.
-
Configuring the remaining settings as needed.
-
Click OK.
To configure a firewall policy in ZTNA IP/MAC filtering mode to allow access in the GUI:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Set Name to allow-internal-access.
-
Enable ZTNA and select IP/MAC filtering.
-
Set ZTNA Tag to Low.
-
Set Incoming Interface to default.35.
-
Set Outgoing Interface to port3.
-
Set Source and Destination to all.
-
Set Service to ALL.
-
Set Action to ACCEPT.
-
Enable Log Violation Traffic and set it to All Sessions.
-
Configuring the remaining settings as needed.
-
Click OK.
To configure a firewall policies in ZTNA IP/MAC filtering mode to block and allow access in the CLI:
config firewall policy edit 29 set name "block-internal-malicious-access" set srcintf "default.35" set dstintf "port3" set srcaddr "all" set dstaddr "all" set ztna-status enable set ztna-ems-tag "FCTEMS0000109188_Malicious-File-Detected" set schedule "always" set service "ALL" set logtraffic all next edit 30 set name "allow-internal-access" set srcintf "default.35" set dstintf "port3" set srcaddr "all" set dstaddr "all" set ztna-status enable set ztna-ems-tag "FCTEMS0000109188_Low" set action accept set schedule "always" set service "ALL" set inspection-mode proxy set logtraffic all set nat enable next end
Testing the access to the web server from the on-net client endpoint
Access allowed:
-
On the remote Windows PC, open FortiClient.
-
On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
-
Open a browser and enter the address of the server.
-
The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding
allow-internal-access
firewall policy, and you are allowed access to the web server.
Access denied:
-
On the remote Windows PC, trigger the Zero Trust Tagging Rule by creating the file in C:\virus.txt.
-
Open a browser and enter the address of the server.
-
FortiGate checks your security posture. Because EMS has tagged the PC with the Malicious-File-Detected tag, it matches the block-internal-malicious-access firewall policy.
-
You are denied access to the web server.
Logs and debugs
Access allowed:
# diagnose endpoint record list Record #1: IP Address = 192.168.40.8 MAC Address = 24:b6:fd:fa:54:c1 MAC list = 24:b6:fd:fa:54:c1;54:15:cd:3f:f8:30;9c:b7:0d:2d:5c:d1; VDOM = root (0) EMS serial number: FCTEMS0000109188 Client cert SN: 563DA313367608678A3633E93C574F6F8BCB4A95 Public IP address: 192.157.105.35 Quarantined: no Online status: online Registration status: registered On-net status: on-net Gateway Interface: default.35 FortiClient version: 7.0.0 AVDB version: 0.0 FortiClient app signature version: 0.0 FortiClient vulnerability scan engine version: 2.30 FortiClient UID: F4F3263AEBE54777A6509A8FCCDF9284 …. Number of Routes: (1) Gateway Route #0: - IP:192.168.40.8, MAC: 24:b6:fd:fa:54:c1, Indirect: no - Interface:default.35, VFID:0, SN: FGVM04TM21000144 online records: 1; offline records: 0; quarantined records: 0
# diagnose endpoint wad-comm find-by ip-vdom 192.168.40.8 root UID: F4F3263AEBE54777A6509A8FCCDF9284 status code:ok Domain: User: keithli Cert SN:563DA313367608678A3633E93C574F6F8BCB4A95 EMS SN: FCTEMS0000109188 Routes(1): - route[0]: IP=192.168.40.8, VDom=root Tags(2): - tag[0]: name=all_registered_clients - tag[1]: name=Low
# diagnose firewall dynamic list List all dynamic addresses: FCTEMS0000109188_all_registered_clients: ID(51) ADDR(172.17.194.209) ADDR(192.168.40.8) … FCTEMS0000109188_Low: ID(78) ADDR(172.17.194.209) ADDR(192.168.40.8) … FCTEMS0000109188_Malicious-File-Detected: ID(190) …
# diagnose test application fcnacd 7 ZTNA Cache: -uid F4F3263AEBE54777A6509A8FCCDF9284: { "tags": [ "all_registered_clients", "Low" ], "user_name": "keithli", "client_cert_sn": "563DA313367608678A3633E93C574F6F8BCB4A95", "gateway_route_list": [ { "gateway_info": { "fgt_sn": "FGVM04TM21000144", "interface": "default.35", "vdom": "root" }, "route_info": [ { "ip": "192.168.40.8", "mac": "24-b6-fd-fa-54-c1", "route_type": "direct" } ] } ], "ems_sn": "FCTEMS0000109188" }
# execute log display 49 logs found. 10 logs returned. 3.5% of logs has been searched. 38: date=2021-03-28 time=23:07:38 eventtime=1616998058790134389 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.40.8 srcname="Fortinet-KeithL" srcport=51056 srcintf="default.35" srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=161585 proto=6 action="close" policyid=30 policytype="policy" poluuid="8f6ea492-9034-51eb-f197-c00d803b7489" policyname="allow-internal-access" service="HTTPS" trandisp="snat" transip=192.168.20.5 transport=51056 duration=2 sentbyte=3374 rcvdbyte=107732 sentpkt=50 rcvdpkt=80 fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli" unauthusersource="forticlient" appcat="unscanned" mastersrcmac="24:b6:fd:fa:54:c1" srcmac="24:b6:fd:fa:54:c1" srcserver=0 dstosname="Windows" dstswversion="10" masterdstmac="52:54:00:e3:4c:1a" dstmac="52:54:00:e3:4c:1a" dstserver=0
Access denied:
# diagnose endpoint wad-comm find-by ip-vdom 192.168.40.8 root UID: F4F3263AEBE54777A6509A8FCCDF9284 status code:ok Domain: User: keithli Cert SN:563DA313367608678A3633E93C574F6F8BCB4A95 EMS SN: FCTEMS0000109188 Routes(1): - route[0]: IP=192.168.40.8, VDom=root Tags(3): - tag[0]: name=Malicious-File-Detected - tag[1]: name=all_registered_clients - tag[2]: name=Low
# diagnose firewall dynamic list List all dynamic addresses: FCTEMS0000109188_all_registered_clients: ID(51) ADDR(172.17.194.209) ADDR(192.168.40.8) … FCTEMS0000109188_Low: ID(78) ADDR(172.17.194.209) ADDR(192.168.40.8) … FCTEMS0000109188_Malicious-File-Detected: ID(190) ADDR(172.17.194.209) ADDR(192.168.40.8) …
# diagnose test application fcnacd 7 ZTNA Cache: -uid F4F3263AEBE54777A6509A8FCCDF9284: { "user_name": "keithli", "client_cert_sn": "563DA313367608678A3633E93C574F6F8BCB4A95", "gateway_route_list": [ { "gateway_info": { "fgt_sn": "FGVM04TM21000144", "interface": "default.35", "vdom": "root" }, "route_info": [ { "ip": "192.168.40.8", "mac": "24-b6-fd-fa-54-c1", "route_type": "direct" } ] } ], "ems_sn": "FCTEMS0000109188", "tags": [ "Malicious-File-Detected", "all_registered_clients", "Low" ] }
# execute log display 49 logs found. 10 logs returned. 3.5% of logs has been searched. 11: date=2021-03-28 time=23:14:41 eventtime=1616998481409744928 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.40.8 srcname="Fortinet-KeithL" srcport=51140 srcintf="default.35" srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=162808 proto=6 action="deny" policyid=29 policytype="policy" poluuid="2835666c-9034-51eb-135d-2f56e5f0f7a2" policyname="block-internal-malicious-access" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli" unauthusersource="forticlient" appcat="unscanned" crscore=30 craction=131072 crlevel="high" mastersrcmac="24:b6:fd:fa:54:c1" srcmac="24:b6:fd:fa:54:c1" srcserver=0