ZTNA session-based form authentication
Session-based form authentication for ZTNA allows users to log in through an authentication portal with support for multi-factor authentication (MFA). This added advantage over the basic type authentication method allows FortiToken MFA to be applied directly to FortiGate users. FortiToken MFA can be applied to local users or remote users. Session-based form authentication can also be applied to explicit and transparent web proxies.
Example
In this example, the FortiGate is configured with a ZTNA HTTPS access proxy to protect access to the web server. It uses session-based form authentication with cookies and auth-portal enabled. It connects to the internal Windows Active Directory using LDAPS for user authentication, and assigns FortiToken MFA to individual users.
This example assumes that the FortiGate EMS Fabric connector is already successfully connected.
To configure the LDAP server:
-
Go to User & Authentication > LDAP Servers and click Create New.
-
Configure the following settings:
Name
LDAP-fortiad
Server IP/Name
10.88.0.1
Server Port
389
Common Name Identifier
sAMAccountName
Distinguished Name
dc=fortiad,dc=info
Exchange server
Disable this setting.
Bind Type
Regular
Enter the Username and Password for LDAP binding and lookup.
Secure Connection
Enable and set the Protocol to LDAPS.
Certificate
Enable and select the CA certificate to validate the server certificate.
Server identity check
Optionally, enable to verify the domain name or IP address against the server certificate.
-
Click Test Connectivity to verify the connection to the server.
-
Click OK.
To configure a user with FortiToken MFA:
- Go to User & Authentication > User Definition and click Create New.
- Set User Type to Remote LDAP User and click Next.
- Set LDAP Server to LDAP-fortiad and click Next.
- For Remote Users, right-click on a user from the list under the corresponding OU and click Add Selected. In this example, the user tsmith under the Marketing OU is selected.
- Click Submit.
- Double-click the new user, tsmith, to edit the settings.
- Enable Two-factor Authentication. Select either FortiToken Cloud or FortiToken. In this example, FortiToken is selected with a mobile FortiToken available on this FortiGate.
- Enter an Email Address for the user to get a token activation notification.
- Click OK.
To configure a user group:
- Go to User & Authentication > User Groups and click Create New.
- Enter the name of the group, FortiAD-MFA-group.
- Set Type to Firewall.
- Click the +in the Members field and add the user, tsmith.
- Click OK.
To configure the authentication scheme:
- Go to Policy & Objects > Authentication Rules and click Create New > Authentication Scheme.
- Enter the name, ZTNA-Auth-scheme.
- Set Method to Form-based.
- Set User database to Other and select the LDAP-fortiad LDAP server.
- Enable Two-factor authentication.
- Click OK.
To configure the authentication rule:
config authentication rule
edit "ztna_form_rule"
set srcaddr "all"
set ip-based disable
set active-auth-method "ZTNA-Auth-scheme"
set web-auth-cookie enable
next
end
|
By disabling |
To configure the ZTNA basic server settings in the GUI:
Configuring the ZTNA server requires some settings that can only be configured in the CLI. The basic settings are configured in the GUI first, then the advanced CLI-only configurations are added after.
-
Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
-
Click Create New.
-
Enter the server name, ZTNA_S1.
-
Configure the network settings:
-
Set External interface to port3.
-
Set External IP to 10.0.3.10.
-
Set External port to 9443.
-
-
Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP. In this example, the custom certificate, ztna-wildcard is selected.
-
Add server mapping:
-
In the Service/server mapping table, click Create New.
-
Set Service to HTTPS.
-
Set Virtual Host to Any Host.
-
Configure the path as needed.
-
Add a server:
-
In the Servers table, click Create New.
-
Set IP to 10.88.0.3.
-
Set Port to 9443.
-
Click OK to complete the server settings.
-
-
Click OK to complete the HTTPS service mapping.
-
-
Click OK.
To configure the advanced authentication settings in the CLI:
The following steps are required to create a virtual host and to enable the authentication portal.
- Create an access proxy virtual host that points to the ZTNA access proxy. The FQDN of the host must be able to resolve to the external address 10.0.3.10. The client will be redirected to this page for form authentication:
config firewall access-proxy-virtual-host edit "auth-portal-vhost" set ssl-certificate "ztna-wildcard" set host "authportal.ztnademo.com" next end - Enable
auth-portalon the access proxy and point it to the virtual host:config firewall access-proxy edit "ZTNA_S1" set auth-portal enable set auth-virtual-host "auth-portal-vhost" next endWhen
auth-virtual-hostis configured in the access proxy, it acts as a single sign-on (SSO) point. This means users will be authenticated once when accessing any domains or services in ZTNA_S1.When
auth-virtual-hostis not configured, users will be re-authenticated for each domain or service in ZTNA_S1.
To apply the authentication to the ZTNA rule:
- Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
- Click Create New.
- Enter the name, ZTNA_R1.
- Set Incoming Interface to port3.
- Set Source to all. This can also be set to specific IP addresses to only allow those addresses to connect to this HTTPS access proxy.
-
Click the + in the Source and from the User tab, select the FortiAD-MFA-group user group.
- Click the + in the ZTNA Tag field and select the Low tag.
- Set ZTNA Server to ZTNA_S1.
- Set Destination to Webserver1, which is an address object for 10.88.0.3/32.
- Configure the remaining options as needed.
- Click OK.
Testing the connection
To test the remote access to the HTTPS access proxy with user authentication:
- On the remote Windows PC, open FortiClient.
- From the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
- Open a browser and enter the address or FQDN of the server and the access port. In this example, https://webserver.ztnademo.com:9443 resolves to https://10.0.3.10:9443.
- The browser prompts for the client certificate to use. Select the EMS signed certificate, then click OK.
- The client is verified by the FortiGate to authenticate your identity.
- Form authentication redirects you to the captive portal defined by the
auth-virtual-host, authportal.ztnademo.com:9443. Enter your user credentials and FortiToken code.
- After the user authentication passes, the FortiGate performs a posture check on the endpoint. When the posture check passes, you are allowed access to the website.
To verify the logs:
- Verify the logged in users in the WAD daemon:
# diagnose wad user list ID: 2, VDOM: root, IPv4: 10.0.3.2 user name : tsmith worker : 1 duration : 42 auth_type : Session auth_method : Form pol_id : 1 g_id : 4 user_based : 0 expire : no LAN: bytes_in=5117 bytes_out=302717 WAN: bytes_in=304915 bytes_out=4407 - Verify the endpoint information:
# diagnose endpoint record list Record #1: IP Address = 10.0.3.2 MAC Address = 02:09:0f:00:03:03 MAC list = 02:09:0f:00:04:03;02:09:0f:00:03:03; VDOM = (-1) EMS serial number: FCTEMS8822000000 Client cert SN: 5BDEE2D7B7FCA460D9CEC67BBF4D1FA33E3D281A Public IP address: 67.249.72.215 Quarantined: no Online status: online Registration status: registered On-net status: on-net Gateway Interface: FortiClient version: 7.0.2 AVDB version: 1.0 FortiClient app signature version: 13.364 FortiClient vulnerability scan engine version: 2.31 FortiClient UID: 9A016B5A6E914B42AD4168C066EB04CA Host Name: WIN10-01 OS Type: WIN64 OS Version: Microsoft Windows 10 Professional Edition, 64-bit (build 19042) (version 2009) Host Description: Domain: fortiad.info Last Login User: tsmith … Number of Routes: (0) online records: 1; offline records: 0; quarantined records: 0 - Verify the detected tags on the endpoint:
# diagnose test app fcnacd 7 ZTNA Cache V2: Entry #1: - UID: 9A016B5A6E914B42AD4168C066EB04CA - EMS SN: FCTEMS88220010000 - Domain: fortiad.info - User: tsmith - Owner: - Certificate SN: 5BDEE2D7B7FCA460D9CEC67BBF4D1FA33E3D281A - online: true - Tags (2): -- Tag (#0): all_registered_clients -- Tag (#1): Low lls_idx_mask = 0x00000001,
- Verify the ZTNA logs.
- In the GUI, go to Log & Report > ZTNA Traffic.
- In the CLI:
# execute log filter category 0 # execute log filter field subtype ztna # execute log display 17 logs found. 10 logs returned. 1: date=2022-05-19 time=13:04:41 eventtime=1652990680922903215 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=63111 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="root" dstintfrole="undefined" sessionid=8313 service="tcp/9443" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="b513a216-d7a9-51ec-7965-6ba166e99004" policyname="ZTNA_R1" duration=66 user="tsmith" group="FortiAD-MFA-group" gatewayid=1 vip="ZTNA_S1" accessproxy="ZTNA_S1" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="MAC_FCTEMS8822000000_Low/FCTEMS8822000000_all_registered_clients/MAC_FCTEMS8822000000_all_registered_clients" wanin=303042 rcvdbyte=303042 wanout=3925 lanin=4430 sentbyte=4430 lanout=301660 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"