Fortinet black logo

New Features

Home FortiManager 7.0.0 New Features
7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.7
6.2.3
6.2.2
6.2.1
6.2.0

FortiManager centrally manages ZTNA policies using tags retrieved from EMS server via Fabric Connector 7.0.3

FortiManager centrally manages ZTNA policies using tags retrieved from EMS server via Fabric Connector 7.0.3

In 7.0.3, FortiManager centrally manages ZTNA policies using the tags retrieved from the EMS server via Fabric Connector.

This topic includes the following sections:

  1. Creating an EMS connector on FortiManager
  2. Configuring a ZTNA server
  3. Using ZTNA tags in a policy
  4. Confirmation

Creating an EMS connector on FortiManager

To create an EMS connector in FortiManager:
  1. Go to Policy & Objects > Object Configuration > Fabric Connectors > Endpoint/Identity.
  2. Click Create New, and select FortiClient EMS from the dropdown menu.
  3. Fill in the EMS server details, and click OK.
To import tags from the EMS server:
  1. Edit your EMS connector in FortiManager.
  2. Click Apply & Refresh on the bottom of the page.
    Any changes on the EMS server are dynamically populated on the FortiManager.
To view tags imported from the EMS server:
  1. Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Tags.
    You can see both the ZTNA IP and ZTNA MAC tags that are available on this page.

Configuring a ZTNA server

To configure a ZTNA server, you must define the access proxy VIP and the real servers to which clients will connect. The access proxy VIP is the FortiGate ZTNA gateway that clients make HTTPS connections to. The service/server mappings define the virtual host matching rules and the real server mappings of the HTTPS requests.

To configure a ZTNA server:
  1. Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Server.
  2. Create a new ZTNA server, and enter the details for the server.
  3. Select an External Interface, enter the External IP address, and add the External Port to which the clients will connect.
  4. Select the Default Certificate. Clients are presented with this certificate when they connect to the access proxy VIP.
  5. Edit the service and server mapping.
    1. In the Service/Server Mapping table, click Create New.
      1. Set the Virtual Host to Any Host or Specify.
        • Any Host: Any request that resolves the access proxy VIP will be mapped to your real servers. For example, if both www.example1.com and www.example2.com resolve to the VIP, then both requests are mapped to your real servers.
        • Specify: Enter the name or IP address of the host that the request must match. For example, if www.example1.com is entered as the host, only requests to www.example1.com will match.
      2. Configure the path as needed. The path can be matched by a substring, wildcard, or regular expression. For example, if the virtual host is specified as www.example1.com, and the path substring is map1, then www.example1/map1 will be a match.
    2. In the Servers table, click Create New.
      1. Enter the server IP address and port number.
      2. Set the server status, and click OK. You can add additional servers as required.

Using ZTNA tags in a policy

To use tags in a policy:
  1. Go to Policy & Objects > Policy Packages.
  2. Select the Policy Package where you would like to use the ZTNA tags.
  3. Navigate to ZTNA Rules under the Policy Package, and create or edit the ZTNA rule.
    ZTNA Rules must be enabled in Tools > Display Options before it is visible in a policy package.
  4. Fill in the details for the rule.
  5. Click the add icon next to ZTNA Tag to see and use tags in the policy.
  6. Once the policy is configured under ZTNA Rules, you can install the changes using the Device Manager > Install Wizard, and FortiManager will install the ZTNA rules to the FortiGate along with the EMS Server configuration including the Fingerprint from the EMS server.

Confirmation

To confirm on FortiGate:
  1. Login to the FortiGate device.
  2. Go to Security Fabric > Fabric Connectors > FortiClient EMS.
  3. Confirm the server details installed on the FortiGate are correct and that the panel shows the status as Connected.
  4. Go to Policy & Objects > ZTNA Rules, and confirm the policy was installed correctly.
To confirm on FortiClient EMS:
  1. Login to the FortiClient EMS server.
  2. Go to Administration > Fabric Devices.
    The FortiGate should be present in this list in order to interact with the EMS server.
Previous
Next

FortiManager centrally manages ZTNA policies using tags retrieved from EMS server via Fabric Connector 7.0.3

In 7.0.3, FortiManager centrally manages ZTNA policies using the tags retrieved from the EMS server via Fabric Connector.

This topic includes the following sections:

  1. Creating an EMS connector on FortiManager
  2. Configuring a ZTNA server
  3. Using ZTNA tags in a policy
  4. Confirmation

Creating an EMS connector on FortiManager

To create an EMS connector in FortiManager:
  1. Go to Policy & Objects > Object Configuration > Fabric Connectors > Endpoint/Identity.
  2. Click Create New, and select FortiClient EMS from the dropdown menu.
  3. Fill in the EMS server details, and click OK.
To import tags from the EMS server:
  1. Edit your EMS connector in FortiManager.
  2. Click Apply & Refresh on the bottom of the page.
    Any changes on the EMS server are dynamically populated on the FortiManager.
To view tags imported from the EMS server:
  1. Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Tags.
    You can see both the ZTNA IP and ZTNA MAC tags that are available on this page.

Configuring a ZTNA server

To configure a ZTNA server, you must define the access proxy VIP and the real servers to which clients will connect. The access proxy VIP is the FortiGate ZTNA gateway that clients make HTTPS connections to. The service/server mappings define the virtual host matching rules and the real server mappings of the HTTPS requests.

To configure a ZTNA server:
  1. Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Server.
  2. Create a new ZTNA server, and enter the details for the server.
  3. Select an External Interface, enter the External IP address, and add the External Port to which the clients will connect.
  4. Select the Default Certificate. Clients are presented with this certificate when they connect to the access proxy VIP.
  5. Edit the service and server mapping.
    1. In the Service/Server Mapping table, click Create New.
      1. Set the Virtual Host to Any Host or Specify.
        • Any Host: Any request that resolves the access proxy VIP will be mapped to your real servers. For example, if both www.example1.com and www.example2.com resolve to the VIP, then both requests are mapped to your real servers.
        • Specify: Enter the name or IP address of the host that the request must match. For example, if www.example1.com is entered as the host, only requests to www.example1.com will match.
      2. Configure the path as needed. The path can be matched by a substring, wildcard, or regular expression. For example, if the virtual host is specified as www.example1.com, and the path substring is map1, then www.example1/map1 will be a match.
    2. In the Servers table, click Create New.
      1. Enter the server IP address and port number.
      2. Set the server status, and click OK. You can add additional servers as required.

Using ZTNA tags in a policy

To use tags in a policy:
  1. Go to Policy & Objects > Policy Packages.
  2. Select the Policy Package where you would like to use the ZTNA tags.
  3. Navigate to ZTNA Rules under the Policy Package, and create or edit the ZTNA rule.
    ZTNA Rules must be enabled in Tools > Display Options before it is visible in a policy package.
  4. Fill in the details for the rule.
  5. Click the add icon next to ZTNA Tag to see and use tags in the policy.
  6. Once the policy is configured under ZTNA Rules, you can install the changes using the Device Manager > Install Wizard, and FortiManager will install the ZTNA rules to the FortiGate along with the EMS Server configuration including the Fingerprint from the EMS server.

Confirmation

To confirm on FortiGate:
  1. Login to the FortiGate device.
  2. Go to Security Fabric > Fabric Connectors > FortiClient EMS.
  3. Confirm the server details installed on the FortiGate are correct and that the panel shows the status as Connected.
  4. Go to Policy & Objects > ZTNA Rules, and confirm the policy was installed correctly.
To confirm on FortiClient EMS:
  1. Login to the FortiClient EMS server.
  2. Go to Administration > Fabric Devices.
    The FortiGate should be present in this list in order to interact with the EMS server.
Previous
Next