ZTNA TCP forwarding access proxy example

In this example, a TCP forwarding access proxy (TFAP) is configured to demonstrate an HTTPS reverse proxy that forwards TCP traffic to the designated resource. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It verifies user identity, device identity, and trust context, before granting access to the protected source.

By default, encryption is disabled on FortiClient ZTNA rules, as this reduces overhead for end to end protocols that are already secure. For insecure end to end protocols, enable encryption.

RDP (Remote Desktop Protocol) and SMB (Server Message Block) protocol access are configured to one server, and SSH access to the other server.

FortiClient (Windows) must be running 7.0.3 or later to detect SMB.

This example assumes that the FortiGate EMS fabric connector is already successfully connected.

To configure the ZTNA server for TCP access proxy in the GUI:

1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.

2. Click Create New.

3. Set Name to ZTNA-tcp-server.

4. Configure the network settings:

   1. Set External interface to port3.

   2. Set External IP to 10.0.3.11.

   3. Set External port to 8443.

5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP.

6. Add server mapping:

   1. In the Service/server mapping table, click Create New.

   2. Set Service to TCP Forwarding.

   3. Add a server:

      1. In the Servers table, click Create New.

      2. Create a new address for the FortiAnalyzer server at 10.88.0.2 and use it as the address.

      3. Set Port to 22.

      4. Click OK.

   4. Add another server:

      1. In the Servers table, click Create New.

      2. Create a new address for the winserver at 10.88.0.1 and use it as the address.

      3. Set Port to 445, 3389 to correspond to SMB and RDP.

      4. Click OK.

   5. Click OK.

7. Click OK.

To configure the ZTNA rule to allow traffic to the TCP access proxy in the GUI:

1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.

2. Set Name to ZTNA_remote.

3. Set Incoming Interface to port3.

4. Set Source to all.

5. Select the ZTNA server ZTNA-tcp-server.

6. Configure the remaining options as needed.

7. Click OK.

To configure the access proxy VIP in the CLI:

config firewall vip
    edit "ZTNA-tcp-server"
        set type access-proxy
        set extip 10.0.3.11
        set extintf "port3"
        set server-type https
        set extport 8443
        set ssl-certificate "Fortinet_SSL"
    next
end

To configure the server addresses in the CLI:

config firewall address
    edit "FAZ"
        set subnet 10.88.0.2 255.255.255.255
    next
    edit "winserver"
        set subnet 10.88.0.1 255.255.255.255
    next
end

To configure access proxy server mappings in the CLI:

config firewall access-proxy
    edit "ZTNA-tcp-server"
        set vip "ZTNA-tcp-server"
        set client-cert enable
        config api-gateway
            edit 1
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "FAZ"
                        set mappedport 22 
                    next
                    edit 2
                        set address "winserver"
                        set mappedport 445 3389 
                    next
                end
            next
        end
    next
end

The mapped port (mappedport) restricts the mapping to the specified port or port range. If mappedport is not specified, then any port will be matched.

To configure a ZTNA rule (proxy policy) in the CLI:

config firewall proxy-policy
    edit 0
        set name "ZTNA_remote"
        set proxy access-proxy
        set access-proxy "ZTNA-tcp-server"
        set srcintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set logtraffic all
    next
end

Test the connection to the access proxy

Before connecting, users must have a ZTNA connection rule in FortiClient.

ZTNA TCP forwarding rules can be provisioned from the EMS server. See Provisioning ZTNA TCP forwarding rules via EMS for details.

To create a ZTNA rule in FortiClient:

1. On the ZTNA Connection Rules tab, click Add Rule.

2. Set Rule Name to SSH-FAZ.

3. Set Destination Host to 10.88.0.2:22. This is the real IP address and port of the server.

4. Set Proxy Gateway to 10.0.3.11:8443. This is the access proxy address and port that are configured on the FortiGate.

5. Enable Encryption. This option determines whether or not the Client to FortiGate access proxy connection is encrypted in HTTPS.

   

6. Click Create.

7. Create a second rule with the following settings:

   • Rule Name: RDP_winserver

   • Destination Host: 10.88.0.1:3389

   • Proxy Gateway: 10.0.3.11:8443

   • Encryption: Enabled

   

8. Create a third rule with the following settings:

   • Rule Name: SMB_winserver

   • Destination Host: 10.88.0.1:445

   • Proxy Gateway: 10.0.3.11:8443

   • Encryption: Enabled

   

After creating the ZTNA connection rules, you can SSH, RDP, and SMB directly to the server IP address and port.

Logs

# exec log filter category 0
# exec log filter field subtype ztna
# exec log display

SMB:

1: date=2022-05-19 time=23:32:15 eventtime=1653028335085873990 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=49823 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.1 dstport=445 dstintf="root" dstintfrole="undefined" sessionid=27520 service="SMB" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="1c65cda2-d7d4-51ec-271f-deb3263318ad" policyname="ZTNA_remote" duration=11 gatewayid=1 vip="ZTNA-tcp-server" accessproxy="ZTNA-tcp-server" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="MAC_FCTEMS8822001975_Low/FCTEMS8822001975_all_registered_clients/MAC_FCTEMS8822001975_all_registered_clients" wanin=6018 rcvdbyte=6018 wanout=4541 lanin=6840 sentbyte=6840 lanout=10041 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"

SSH:

2: date=2022-05-19 time=17:59:25 eventtime=1653008365264312800 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=52233 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=22 dstintf="root" dstintfrole="undefined" sessionid=18022 service="SSH" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="1c65cda2-d7d4-51ec-271f-deb3263318ad" policyname="ZTNA_remote" duration=5 gatewayid=1 vip="ZTNA-tcp-server" accessproxy="ZTNA-tcp-server" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="MAC_FCTEMS8822001975_Low/FCTEMS8822001975_all_registered_clients/MAC_FCTEMS8822001975_all_registered_clients" wanin=3693 rcvdbyte=3693 wanout=2817 lanin=4915 sentbyte=4915 lanout=7586 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"

RDP:

4: date=2022-05-19 time=17:56:23 eventtime=1653008183694431712 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=52213 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.1 dstport=3389 dstintf="root" dstintfrole="undefined" sessionid=17598 service="RDP" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="1c65cda2-d7d4-51ec-271f-deb3263318ad" policyname="ZTNA_remote" duration=41 gatewayid=1 vip="ZTNA-tcp-server" accessproxy="ZTNA-tcp-server" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="MAC_FCTEMS8822001975_Low/FCTEMS8822001975_all_registered_clients/MAC_FCTEMS8822001975_all_registered_clients" wanin=178884 rcvdbyte=178884 wanout=33650 lanin=38920 sentbyte=38920 lanout=188121 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"