Dynamic interface IP addresses for access proxy VIPs 7.4.5

This information is also available in the FortiOS 7.4 Administration Guide: Basic ZTNA configuration

When the external interface is specified in an access proxy VIP, the external IP address can use the wildcard 0.0.0.0 to dynamically assign the interface address. The ZTNA Application Gateway will use the primary IPv4 and any secondary IPv4 addresses assigned as its external IP address, thereby allowing the use of dynamic interface IP addresses.

Configuration of dynamic ZTNA access is not supported for IPv6 or when the external interface is set to any.

Example

The following example demonstrates configuring dynamic ZTNA access through an access proxy VIP with an external IP address of 0.0.0.0.

To configure dynamic ZTNA access:

1. Configure the external interface with primary and secondary IP addresses:

   config system interface
       edit "port2"
           set vdom "vdom1"
           set ip 10.1.100.2 255.255.255.0
           set allowaccess ping https ssh snmp http telnet fabric
           set type physical
           set device-identification enable
           set snmp-index 6
           set secondary-IP enable
           config secondaryip
               edit 1
                   set ip 10.1.100.5 255.255.255.0
                   set allowaccess ping https ssh snmp http
               next
               edit 2
                   set ip 10.1.100.6 255.255.255.0
                   set allowaccess ping https ssh snmp http
               next
           end
       next
   end

2. Configure the access proxy VIP with a wildcard external IP address and specify the external interface:

   config firewall vip
       edit "ZTNA"
           set type access-proxy
           set server-type https
           set extip 0.0.0.0
           set extintf "port2"
           set arp-reply enable
           set extport 4443
       next
   end

   Once configured, the client will be able to successfully access the ZTNA destination.

3. Review the results:

   # diagnose firewall iprope list 100017
   policy index=1 uuid_idx=16163 action=accept
   flag (8810009): log redir master nlb pol_stats
   flag3 (80000000):
   schedule(always)
   cos_fwd=0  cos_rev=0
   group=00100017 av=00000000 au=00000000 split=00000000
   host=1 chk_client_info=0x0 app_list=0 ips_view=0
   misc=1
   zone(1): 10 -> zone(1): 0
   source(1): 0.0.0.0-255.255.255.255, uuid_idx=16021,
   dest(3): 10.1.100.2-10.1.100.2, uuid_idx=0, 10.1.100.5-10.1.100.5, uuid_idx=0, 10.1.100.6-10.1.100.6, uuid_idx=0,
   service(1):
           [6:0x0:1051/(0,65535)->(4443,4443)] flags:0 helper:auto

   The destination for the ZTNA VIP has all three addresses defined on the port2 interface.

4. View the ZTNA logs:

   # execute log filter category 0
   # execute log filter field subtype ztna
   # execute log display
   3: date=2024-08-14 time=14:05:49 eventtime=1723669548694374249 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="vdom1" srcip=10.1.100.22 srcname="ztna-client" srcport=42972 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.207 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=9316 service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="c2d20bae-5a6f-51ef-95ff-37abded25d2d" policyname="ZTNA" appcat="unscanned" duration=0 gatewayid=1 realserverid=1 vip="ZTNA" accessproxy="ZTNA" clientdeviceid="E08BDD9A923D46038BC03137FBC18082" clientdeviceowner="user2" clientdevicemanageable="manageable" clientdeviceems="FCTEMS8821001322" clientdevicetags="all_registered_clients/ZT_FILE_CERTFILE/ZT_LINUX_ON_FAB/ZT_OS_LINUX/ZT_EMS_MGMT" clientcert="yes" emsconnection="online" wanin=2376 rcvdbyte=2376 wanout=805 lanin=1690 sentbyte=1690 lanout=3222 fctuid="E08BDD9A923D46038BC03137FBC18082" unauthuser="fosqa" unauthusersource="forticlient" srcremote=172.18.62.240 srchwvendor="VMware, Inc." devtype="VMware7,1" osname="Linux" srcswversion="- Ubuntu 20.04.6 LTS"