Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.2.2 Administration Guide
    7.2.2
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Create a new Zero Trust Network Access (ZTNA) rule

    Create a new Zero Trust Network Access (ZTNA) rule

    A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero trust role-based access. Security profiles can be configured to protect this traffic.

    Note

    You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.
    To configure a ZTNA rule:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select ZTNA Rules.
    4. Click Create New.
    5. Enter the following information:

      Option

      Description

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Incoming Interface

      Click the field then select interfaces.

      Click the remove icon to remove interfaces.

      New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

      Source

      Select source addresses, address groups, virtual IPs, virtual IP groups, users, and user groups.

      ZTNA Tag

      Select the ZTNA tags and tag groups that are allowed access. See Zero Trust Network Access (ZTNA) objects.

      Match ZTNA Tags

      Select Any to match one or more tags or All to match all tags.

      ZTNA Server

      Select a ZTNA server. See Configuring a ZTNA server.

      Destination

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      Schedule

      Select a one-time schedule, recurring schedule, or schedule group.

      Action

      Select an action for the policy to take: DENY or ACCEPT.

      Log Violation Traffic

      Turn violation logging on or off.

      Comments

      		Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced option, see the FortiOS CLI Reference.

      Change Note

      		Add a description of the changes being made to the policy. This field is required.
    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    Advanced options

    Option

    Description

    Default

    block-notification

    Enable or disable block notification.

    disable

    decrypted-traffic-mirror

    Select a decrypted traffic mirror.

    none

    device-ownership

    Enable or disable ownership enforcement at the policy level.

    disable

    disclaimer

    Disable or select where to display the web proxy disclaimer.

    disable

    dlp-profile

    Select an existing data leak prevention (DLP) profile.

    none

    dstaddr-negate

    Enable to negate the destination IP address.

    disable

    dstintf

    Select destination interfaces.

    none

    global-label

    Enter a global label for this policy for use in the GUI.

    none

    internet-service

    Enable or disable the use of internet services for this policy. If enabled, the destination address and service set in the policy are not used.

    		 disable

    internet-service-custom

    Select a custom internet service.

    none

    internet-service-custom-group

    Select a custom internet service group.

    		 none

    internet-service-group

    Select an internet service group.

    		 none

    internet-service-name

    Select an internet service.

    		 none

    internet-service-negate

    Enable to negate the internet service set in the policy.

    		 disable

    label

    Enter a VDOM-specific label for this policy for use in the GUI.

    none

    logtraffic-start

    Enable or disable policy log traffic start.

    disable

    poolname

    Select the IP pool object.

    none

    redirect-url

    Set the URL to which users are redirected after seeing and accepting the disclaimer or authenticating.

    		 none

    replacemsg-override-group

    Select the authentication message override group.

    none

    sctp-filter-profile

    Select an existing SCTP filter profile.

    		 none

    service

    Select services.

    none

    service-negate

    Enable or disable negation of the service set in the policy.

    		 disable

    session-ttl

    Enter a value for the session time-to-live (TTL), in seconds, from 300 to 604800, or type 0 for no limitation.

    0

    srcaddr-negate

    Enable or disable negation of the source address.

    disable

    ssh-filter-profile

    Select an SSH filter profile from the drop-down list.

    None

    ssh-policy-redirect

    Enable or disable SSH policy redirect.

    disable

    transparent

    Enable or disable connection using the client IP address.

    disable

    uuid

    Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

    00000000-0000- 0000-0000- 000000000000

    webcache

    Enable or disable web cache (IPv4 only).

    disable

    webcache-https

    Enable or disable the web cache for HTTPS (IPv4 only).

    none

    webproxy-forward-server

    Select the webproxy forward server (IPv4 only).

    none

    webproxy-profile

    Select the webproxy profile (IPv4 only).

    none
    Previous
    Next

    Create a new Zero Trust Network Access (ZTNA) rule

    Create a new Zero Trust Network Access (ZTNA) rule

    A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero trust role-based access. Security profiles can be configured to protect this traffic.

    Note

    You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.
    To configure a ZTNA rule:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select ZTNA Rules.
    4. Click Create New.
    5. Enter the following information:

      Option

      Description

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Incoming Interface

      Click the field then select interfaces.

      Click the remove icon to remove interfaces.

      New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

      Source

      Select source addresses, address groups, virtual IPs, virtual IP groups, users, and user groups.

      ZTNA Tag

      Select the ZTNA tags and tag groups that are allowed access. See Zero Trust Network Access (ZTNA) objects.

      Match ZTNA Tags

      Select Any to match one or more tags or All to match all tags.

      ZTNA Server

      Select a ZTNA server. See Configuring a ZTNA server.

      Destination

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      Schedule

      Select a one-time schedule, recurring schedule, or schedule group.

      Action

      Select an action for the policy to take: DENY or ACCEPT.

      Log Violation Traffic

      Turn violation logging on or off.

      Comments

      		Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced option, see the FortiOS CLI Reference.

      Change Note

      		Add a description of the changes being made to the policy. This field is required.
    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    Advanced options

    Option

    Description

    Default

    block-notification

    Enable or disable block notification.

    disable

    decrypted-traffic-mirror

    Select a decrypted traffic mirror.

    none

    device-ownership

    Enable or disable ownership enforcement at the policy level.

    disable

    disclaimer

    Disable or select where to display the web proxy disclaimer.

    disable

    dlp-profile

    Select an existing data leak prevention (DLP) profile.

    none

    dstaddr-negate

    Enable to negate the destination IP address.

    disable

    dstintf

    Select destination interfaces.

    none

    global-label

    Enter a global label for this policy for use in the GUI.

    none

    internet-service

    Enable or disable the use of internet services for this policy. If enabled, the destination address and service set in the policy are not used.

    		 disable

    internet-service-custom

    Select a custom internet service.

    none

    internet-service-custom-group

    Select a custom internet service group.

    		 none

    internet-service-group

    Select an internet service group.

    		 none

    internet-service-name

    Select an internet service.

    		 none

    internet-service-negate

    Enable to negate the internet service set in the policy.

    		 disable

    label

    Enter a VDOM-specific label for this policy for use in the GUI.

    none

    logtraffic-start

    Enable or disable policy log traffic start.

    disable

    poolname

    Select the IP pool object.

    none

    redirect-url

    Set the URL to which users are redirected after seeing and accepting the disclaimer or authenticating.

    		 none

    replacemsg-override-group

    Select the authentication message override group.

    none

    sctp-filter-profile

    Select an existing SCTP filter profile.

    		 none

    service

    Select services.

    none

    service-negate

    Enable or disable negation of the service set in the policy.

    		 disable

    session-ttl

    Enter a value for the session time-to-live (TTL), in seconds, from 300 to 604800, or type 0 for no limitation.

    0

    srcaddr-negate

    Enable or disable negation of the source address.

    disable

    ssh-filter-profile

    Select an SSH filter profile from the drop-down list.

    None

    ssh-policy-redirect

    Enable or disable SSH policy redirect.

    disable

    transparent

    Enable or disable connection using the client IP address.

    disable

    uuid

    Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

    00000000-0000- 0000-0000- 000000000000

    webcache

    Enable or disable web cache (IPv4 only).

    disable

    webcache-https

    Enable or disable the web cache for HTTPS (IPv4 only).

    none

    webproxy-forward-server

    Select the webproxy forward server (IPv4 only).

    none

    webproxy-profile

    Select the webproxy profile (IPv4 only).

    none
    Previous
    Next