Full versus simple ZTNA policies NEW
There are two ways to configure ZTNA rules in the GUI by using a full or simple ZTNA policy.
Full ZTNA policy
In a full ZTNA policy, the CLI configuration remains the same as previous versions. In the GUI, the Policy & Objects > ZTNA > ZTNA Rules tab has been removed. Administrators can configure ZTNA policies from the Policy & Objects > Proxy Policy page, and by setting the Type to ZTNA.
Simple ZTNA policy
In a simple ZTNA policy, a regular firewall policy is used for policy management. When creating a new firewall policy, administrators can configure a ZTNA policy by setting the Type to ZTNA.
A simple ZTNA policy cannot control access based on the destination interface or the real server’s destination address. See the Examples section for detailed configurations. |
Authentication for ZTNA policies
Authentication remains largely the same between both ZTNA policy configuration modes. You can specify user groups under Source to define the groups in which the access control applies to. However, the underlying authentication schemes and rules must still be in place to direct the traffic to the ZTNA application gateway.
Authentication for regular firewall policies
Authentication for regular firewall policies is traditionally handled by authd, which does not require an authentication scheme and rules to be configured in order to function. This enhancement allows authentication for regular firewall policies to be handled by WAD so that the authentication scheme and rules are used to determine the type of authentication and the traffic that requires authentication. This option is disabled by default, but can be enabled as follows:
config firewall auth-portal set proxy-auth {enable | disable} end
Redirecting a simple ZTNA policy to a full ZTNA policy
An option is added so that after matching a simple ZTNA policy, the traffic can be redirected for a full ZTNA policy match. This setting can only be configured from the CLI, and it is disabled by default.
config firewall policy edit <id> set ztna-policy-redirect {enable | disable} next end
For example, a client has both tag A and tag B. In the simple ZTNA policy, the client matches a policy that requires tag A for a posture check. If they are using the ztna-policy-redirect
option, then it will also require a full ZTNA policy match.
If a full ZTNA policy allows either tag A or tag B or all traffic in general, then the traffic is allowed. Otherwise, if a full ZTNA policy explicitly denies one of the tags, the traffic will be denied.
If no full ZTNA policy is matched, then the traffic is implicitly denied.
Examples
The following examples demonstrate how to configure a ZTNA policy using the full and simple ZTNA policy modes.
It is assumed that the following settings are already configured:
-
EMS connection and EMS tags (Malicious-File-Detected and FortiAD.Info)
-
ZTNA server configuration (ZTNA-webserver)
-
Authentication scheme and rule
Configuring a full ZTNA policy
To configure a full ZTNA policy in the GUI:
-
Go to Policy & Objects > Proxy Policy and click Create New.
-
Configure the following settings:
Name
ZTNA-webserver
Type
ZTNA
Incoming Interface
port3
Source
all
Destination
Webserver1 (10.88.0.3/32)
ZTNA Server
ZTNA-webserver
Schedule
always
Action
ACCEPT
-
Click OK.
To configure a full ZTNA policy in the CLI:
config firewall proxy-policy edit 1 set name "ZTNA-webserver" set proxy access-proxy set access-proxy "ZTNA-webserver" set srcintf "port3" set srcaddr "all" set dstaddr "Webserver1" set action accept set schedule "always" next end
When traffic is allowed, the ZTNA logs show traffic passing through policy 1 on a policy called ZTNA-webserver
, which is a proxy policy.
To verify the traffic logs:
# execute log filter category traffic # execute log filter field subtype ztna # execute log display 9 logs found. 9 logs returned. 1: date=2023-03-06 time=20:16:11 eventtime=1678162572109525759 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=28597 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=20140 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="1c0a04b8-bc85-51ed-48ba-7d43279fb899" policyname="ZTNA-webserver" duration=3604 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=303150 rcvdbyte=303150 wanout=3755 lanin=2813 sentbyte=2813 lanout=304697 appcat="unscanned"
Configuring a simple ZTNA policy
To configure a simple ZTNA policy in the GUI:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Configure the following settings:
Name
ZTNA-webserver-fp
Type
ZTNA
Incoming Interface
port3
Source
all
Destination
ZTNA-webserver
Schedule
always
Action
ACCEPT
-
Click OK.
To configure a simple ZTNA policy in the CLI:
config firewall policy edit 9 set name "ZTNA-webserver-fp" set srcintf "port3" set dstintf "any" set action accept set srcaddr "all" set dstaddr "ZTNA-webserver" set schedule "always" set service "ALL" next end
When traffic is allowed, the ZTNA logs show traffic passing through policy 9 on a policy called ZTNA-webserver-fp
, which is a firewall policy.
To verify the traffic logs:
# execute log filter category traffic # execute log filter field subtype ztna # execute log display 14 logs found. 10 logs returned. 1: date=2023-03-06 time=23:01:55 eventtime=1678172515724776640 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=31687 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=28076 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=75 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=3445 rcvdbyte=3445 wanout=1189 lanin=2358 sentbyte=2358 lanout=4759 appcat="unscanned"
Configuring a ZTNA simple policy with ZTNA tags and authentication
In this example, a simple ZTNA policy uses the FortiAD.Info tag for a posture check and authentication against a pre-configured Active Directory server where the user tsmith resides. The authentication scheme and rule have already been configured as follows:
config authentication scheme edit "ZTNA-Auth-scheme" set method basic set user-database "LDAP-fortiad" next end
config authentication rule edit "ZTNA-Auth-rule" set srcintf "port3" set srcaddr "all" set active-auth-method "ZTNA-Auth-scheme" next end
To append ZTNA tag and authentication settings to the simple ZTNA policy:
-
Go to Policy & Objects > Firewall Policy and edit the ZTNA-webserver-fp policy.
-
For the Source field, click the + and add the user group named LDAP-Remote-Allowed-Group.
-
For the ZTNA Tag field, click the + and add the FortiAD.Info tag.
-
Click OK.
To verify the configuration:
-
Connect to the web server from a client.
-
After selecting the client certificate, the browser will prompt for a username and password. Enter the username (tsmith) and their password.
Upon a successful authentication, the user will be able to access the web server.
-
On the FortiGate, verify that the logs for the allowed traffic show the user tsmith and the tag EMS1_ZTNA_FortiAD.Info:
# execute log filter field subtype ztna # execute log display 18 logs found. 10 logs returned. 1: date=2023-03-06 time=23:25:23 eventtime=1678173923745891128 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=32017 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=29615 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=106 user="tsmith" group="LDAP-Remote-Allowed-Group" authserver="LDAP-fortiad" gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients/MAC_EMS1_ZTNA_FortiAD.Info/EMS1_ZTNA_FortiAD.Info" emsconnection="online" wanin=301793 rcvdbyte=301793 wanout=3331 lanin=2877 sentbyte=2877 lanout=333000 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"