Creating a ZTNA rule
A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero trust role based access. Security profiles can be configured to protect this traffic.
A default FortiPAM_Default ZTNA rule is available in the ZTNA rules list. |
To configure a ZTNA rule:
- Go to System > ZTNA and select the ZTNA Rules tab.
- Select +Create New.
The New ZTNA Rule window opens.
- Enter the following information:
Name
The name of the ZTNA rule.
Names are not fixed and can be changed later.
Incoming Interface
Select incoming interfaces or create new interfaces.
Use the search bar to look for an interface.
Use the pen icon next to the interface to edit it.
Source
Select sources or create new sources (default = all).
You can select or create the following types of sources:
Address
Address Group
User
User Group
Use the search bar to look for a source.
Use the pen icon next to the source to edit it.
ZTNA Tag
Add the ZTNA tags or tag groups that are allowed access.
ZTNA tags are synchronized from the EMS side.
Use the search bar to look for a ZTNA tag.
Match ZTNA tags
If multiple tags are included, select Any or All (default = Any).
ZTNA Server
From the dropdown, select a ZTNA server or create a ZTNA server.
Use the search bar to look for a ZTNA server.
Use the pen icon next to the server to edit it.
Destination
Select or create a destination.
You can select or create the following types of destinations:
Address
Address Group
User
User Group
Use the search bar to look for a destination.
Use the pen icon next to a destination to edit it.
Action
Select from the following four actions to execute:
ACCEPT (default)
DENY
Protocol Options
From the dropdown, select a protocol or create a new protocol.
The default protocol is ready only.
Use the search bar to look for a protocol.
Note: The option is only available when Action is set as Accept.
SSL/SSH Inspection
From the dropdown, select an SSL/SSH inspection profile (default = no-inspection).
Use the search bar to look for an SSL/SSH inspection profile.
Use the pen icon next to the SSL/SSH inspection profile to edit it.
Note: The option is only available when Action is set as Accept.
Logging Options
Log Allowed Traffic
Enable to record any log messages about the accepted traffic.
Select from the following two options:
Security Events: Record only log messages related to security events caused by the accepted traffic (default).
All Sessions: Record all log messages related to all of the accepted traffic.
Note: The option is enabled by default.
Note: The option is only available when Action is set as Accept.
Generate Logs when Session Starts
Enable to generate logs when the session starts.
Note: The option is disabled by default.
Note: The option is only available when Log Allowed Traffic is enabled.
Comments
Optionally, enter comments about the ZTNA rule.
Enable this policy
Select to enable the policy.
Note: The option is enabled by default.
Enable Policy Matching Pass Through
Enable to make the policy a pass-through policy.
When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiPAM tries to match all policies, it will set the last matched passthrough policy as the matched policy.
Note: The option is disabled by default.
- Click OK.