Posture check verification for active ZTNA proxy session examples
Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no longer compliant with the ZTNA policy.
The FortiGate monitors changes to the endpoint tags that are updated by EMS with the fcnacd process. When a change is detected, the endpoint's active ZTNA sessions must match the ZTNA policy again before data can pass.
Changes to the ZTNA policy, such as changing the ZTNA tag matching logic, will also trigger re-verification of the client device against the policy.
The remote endpoint accesses the RDP server through the TCP forwarding access proxy. The proxy is managed by the FortiClient EMS server, which has a ZTNA tagging rule that assigns the AV-enabled tag to endpoints that have Windows antivirus enabled, and the Low risk host tag to endpoints that are low risk.
These examples assume that the FortiGate EMS fabric connector has already connected successfully, and a ZTNA server named WIN2K16-P1-RDP that forwards traffic to the RDP server has been configured.
Example 1 - The ZTNA tag status changes on the endpoint
In this example, a ZTNA rule is configured to allow access for endpoints that have the AV-enabled tag. After an RDP sessions is established, Windows antivirus is disabled on the remote endpoint. The FortiGate re-verifies the session and the active RDP session is removed from the FortiGate session table, causing the RDP session to be disconnected.
To configure the ZTNA rule in the GUI:
-
Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.
-
Set Name to TCP-forward-WIN2K16.
-
Set Incoming Interface to port1.
-
Set Source to all.
-
In ZTNA Tag add AV-enabled
-
In ZTNA Server add WIN2K16-P1-RDP.
-
Set Destination to all.
-
Set Action to ACCEPT.
-
Configure the remaining options as needed.
-
Click OK.
To configure the ZTNA rule in the CLI:
config firewall proxy-policy edit 4 set name "TCP-forward-WIN2K16" set proxy access-proxy set access-proxy "WIN2K16-P1-RDP" set srcintf "port1" set srcaddr "all" set dstaddr "all" set ztna-ems-tag "FCTEMS0000109188_AV-enabled" set action accept set schedule "always" set logtraffic all next end
To test the example:
-
On the remote endpoint, open FortiClient.
-
On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
-
Add a ZTNA rule:
-
On the ZTNA Connection Rules tab, click Add Rule.
-
Configure the ZTNA rule:
Rule Name
RDP-WIN2K16
Destination Host
192.168.20.6:3389
Proxy Gateway
192.168.2.86:443
Encryption
Disabled
-
Click Create.
-
-
Ensure that the endpoint has Windows antivirus enabled.
-
Open an RDP session to connect to the RDP server at 192.168.20.6.
-
After a successful connection, on the FortiGate:
-
The endpoint is detected and marked with the AV-enabled tag:
# diagnose test application fcnacd 7 ZTNA Cache V2: Entry #1: - UID: F4F3263AEBE54777A6509A8FCCDF9284 - Domain: - User: keithli - Owner: - Certificate SN: 1626C2C10E6AD97D71FA9E2D9C314C1F5C03D68B - EMS SN: FCTEMS0000109188 - online: true - Tags (3): -- Tag (#0): AV-enabled -- Tag (#1): all_registered_clients -- Tag (#2): Low lls_idx_mask = 0x00000001,
-
A session is created:
# diagnose sys session filter dst 192.168.2.86 # diagnose sys session filter src 10.10.10.25 # diagnose sys session list session info: proto=6 proto_state=01 duration=191 expire=3599 timeout=3600 flags=00000000 socktype=0 sockport=1012 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log local may_dirty f24 statistic(bytes/packets/allow_err): org=58031/376/1 reply=66864/351/1 tuples=2 tx speed(Bps/kbps): 303/2 rx speed(Bps/kbps): 349/2 orgin->sink: org pre->in, reply out->post dev=3->7/7->3 gwy=192.168.2.86/0.0.0.0 hook=pre dir=org act=noop 10.10.10.25:60668->192.168.2.86:443(0.0.0.0:0) hook=post dir=reply act=noop 192.168.2.86:443->10.10.10.25:60668(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0) src_mac=08:5b:0e:ea:7f:d4 misc=7 policy_id=4 pol_uuid_idx=14853 auth_info=0 chk_client_info=0 vd=0 serial=00000c0b tos=00/00 app_list=0 app=0 url_cat=0 sdwan_mbr_seq=0 sdwan_service_id=0 rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a npu_state=00000000 total session 1
-
The forward traffic log indicates that traffic is allowed:
# execute log filter category 0 # execute log filter field dstip 192.168.20.6 # execute log display ... 11: date=2021-10-18 time=11:22:16 eventtime=1634581336644493852 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.25 srcport=60660 srcintf="port1" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=192.168.20.6 dstport=3389 dstintf="root" dstintfrole="undefined" sessionid=2550 srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" service="RDP" proto=6 action="accept" policyid=4 policytype="proxy-policy" poluuid="ce8f82d0-8fb3-51eb-0a17-5e6a6a51ff27" policyname="TCP-forward-WIN2K16" duration=0 wanin=1578 rcvdbyte=1578 wanout=1107 lanin=2788 sentbyte=2788 lanout=3750 srchwvendor="Fortinet" devtype="Network" srcfamily="Firewall" osname="FortiOS" srchwversion="FortiWiFi-30E" appcat="unscanned"
-
-
On the remote endpoint, disable Windows antivirus.
FortiClient EMS detects a change in ,and removes the AV-enabled tag on the FortiClient endpoint.
-
Due to the change in posture, the RDP session is disconnected:
-
The endpoint is no longer marked with the AV-enabled tag:
# diagnose test application fcnacd 7 ZTNA Cache V2: Entry #1: - UID: F4F3263AEBE54777A6509A8FCCDF9284 - Domain: - User: keithli - Owner: - Certificate SN: 1626C2C10E6AD97D71FA9E2D9C314C1F5C03D68B - EMS SN: FCTEMS0000109188 - online: true - Tags (2): -- Tag (#0): all_registered_clients -- Tag (#1): Low lls_idx_mask = 0x00000001,
-
The previous session is removed:
# diagnose sys session filter dst 192.168.2.86 # diagnose sys session filter src 10.10.10.25 # diagnose sys session list total session 0
-
The forward traffic log indicates that traffic is denied:
# execute log display 7: date=2021-10-18 time=11:31:45 eventtime=1634581905530844852 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.25 srcport=60668 srcintf="port1" srcintfrole="wan" dstip=192.168.20.6 dstport=3389 dstintf="root" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=3083 proto=6 action="deny" policyid=4 policytype="proxy-policy" poluuid="ce8f82d0-8fb3-51eb-0a17-5e6a6a51ff27" policyname="TCP-forward-WIN2K16" service="RDP" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: failed to match a proxy-policy" utmref=65349-5754
-
The ZTNA log indicates that traffic is denied:
# execute log filter category 21 # execute log display 6: date=2021-10-18 time=11:31:45 eventtime=1634581905530840484 tz="-0700" logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match" level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-policy" policyid=4 sessionid=3083 srcip=10.10.10.25 dstip=192.168.20.6 srcport=60668 dstport=3389 srcintf="port1" srcintfrole="wan" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="WIN2K16-P1-RDP" accessproxy="WIN2K16-P1-RDP" clientdeviceid="F4F3263AEBE54777A6509A8FCCDF9284" clientdevicetags="MAC_FCTEMS0000109188_Low/FCTEMS0000109188_all_registered_clients/MAC_FCTEMS0000109188_all_registered_clients/FCTEMS0000109188_Low"
-
Example 2 - The ZTNA rule tag checking logic changes
In this example, a ZTNA rule is configured to allow access to endpoints that have at least one of the AV-enabled or Low ZTNA tags. A remote user who has Windows antivirus disabled, but is low risk, successfully establishes an RDP session over the ZTNA access proxy. An administrator changes the ZTNA rule's tag matching logic from Any to All, causing the RDP session to be disconnected.
To configure the ZTNA rule in the GUI:
-
Go to Policy & Objects > ZTNA, select the ZTNA Rules tab.
-
Edit the TCP-forward-WIN2K16 rule.
-
In ZTNA Tag, add Low.
-
Ensure that Match ZTNA Tags is set to Any.
-
Click OK.
To configure the ZTNA rule in the CLI:
config firewall proxy-policy edit 4 set name "TCP-forward-WIN2K16" set proxy access-proxy set access-proxy "WIN2K16-P1-RDP" set srcintf "port1" set srcaddr "all" set dstaddr "all" set ztna-ems-tag "FCTEMS0000109188_AV-enabled" "FCTEMS0000109188_Low" set ztna-tags-match-logic or set action accept set schedule "always" set logtraffic all next end
To test the example:
-
On the remote Windows PC, disable antivirus protection.
-
Open an RDP session to connect to the RDP server at 192.168.20.6.
-
After a successful connection, on the FortiGate:
-
The endpoint is detected and marked with the Low tag, but not the AV-enabled tag:
# diagnose test application fcnacd 7 ZTNA Cache V2: Entry #1: - UID: F4F3263AEBE54777A6509A8FCCDF9284 - Domain: - User: keithli - Owner: - Certificate SN: 1626C2C10E6AD97D71FA9E2D9C314C1F5C03D68B - EMS SN: FCTEMS0000109188 - online: true - Tags (2): -- Tag (#0): all_registered_clients -- Tag (#1): Low lls_idx_mask = 0x00000001,
-
A session is created:
# diagnose sys session filter dst 192.168.2.86 # diagnose sys session filter src 10.10.10.25 # diagnose sys session list session info: proto=6 proto_state=01 duration=29 expire=3598 timeout=3600 flags=00000000 socktype=0 sockport=1012 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log local may_dirty f24 statistic(bytes/packets/allow_err): org=54763/299/1 reply=90223/313/1 tuples=2 tx speed(Bps/kbps): 1860/14 rx speed(Bps/kbps): 3064/24 orgin->sink: org pre->in, reply out->post dev=3->7/7->3 gwy=192.168.2.86/0.0.0.0 hook=pre dir=org act=noop 10.10.10.25:55147->192.168.2.86:443(0.0.0.0:0) hook=post dir=reply act=noop 192.168.2.86:443->10.10.10.25:55147(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0) src_mac=08:5b:0e:ea:7f:d4 misc=7 policy_id=4 pol_uuid_idx=14853 auth_info=0 chk_client_info=0 vd=0 serial=00003255 tos=00/00 app_list=0 app=0 url_cat=0 sdwan_mbr_seq=0 sdwan_service_id=0 rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
-
The forward traffic log indicates that traffic is allowed:
# execute log filter category 0 # execute log display ... 1: date=2021-10-18 time=12:46:01 eventtime=1634586361077487880 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.25 srcport=55140 srcintf="port1" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=192.168.20.6 dstport=3389 dstintf="root" dstintfrole="undefined" sessionid=12542 srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" service="RDP" proto=6 action="accept" policyid=4 policytype="proxy-policy" poluuid="ce8f82d0-8fb3-51eb-0a17-5e6a6a51ff27" policyname="TCP-forward-WIN2K16" duration=138 wanin=140349 rcvdbyte=140349 wanout=47118 lanin=48799 sentbyte=48799 lanout=142521 appcat="unscanned"
-
-
On the FortiGate, edit the ZTNA rule TCP-forward-WIN2K16:
-
In the GUI, set Match ZTNA Tags to All.
-
In the CLI, set
ztna-tags-match-logic
toand
.
-
-
Due to the ZTNA rule update, the FortiGate re-verifies the session, and the RDP session is disconnected:
-
The previous session is removed:
# diagnose sys session filter dst 192.168.2.86 # diagnose sys session filter src 10.10.10.25 # diagnose sys session list total session 0
-
The ZTNA log indicates that traffic is denied:
# execute log filter category 21 # execute log display 1: date=2021-10-18 time=12:53:57 eventtime=1634586837921889075 tz="-0700" logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match" level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-policy" policyid=0 sessionid=13865 srcip=10.10.10.25 dstip=192.168.2.86 srcport=55162 dstport=443 srcintf="port1" srcintfrole="wan" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="WIN2K16-P1-RDP" accessproxy="WIN2K16-P1-RDP" clientdeviceid="F4F3263AEBE54777A6509A8FCCDF9284" clientdevicetags="MAC_FCTEMS0000109188_Low/FCTEMS0000109188_all_registered_clients/MAC_FCTEMS0000109188_all_registered_clients/FCTEMS0000109188_Low"
-