Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

ZTNA-based FortiPAM access control

ZTNA-based FortiPAM access control

When ZTNA control is enforced on FortiPAM, devices without FortiClient installed cannot access FortiPAM.

If you want to grant access to the user using the browser extension-only solution, you can create multiple ZTNA servers and ZTNA rules to achieve it.

GUI only supports basic ZTNA configuration. It is recommended to use CLI to configure additional ZTNA rules (config firewall policy) and ZTNA servers (config firewall access-proxy).

CLI configuration for a user from endpoint installed with FortiClient example

In this example, a user from an endpoint installed with FortiClient can access FortiPAM via VIP 192.168.1.109 provided that the endpoint contains FCTEMS8822008307_Office_Windows_PC or FCTEMS8822008307_MIS_Team ZTNA tag.

  1. In the CLI console, enter the following commands:

    config firewall vip

    edit "fortipam_vip"

    set type access-proxy

    set extip 192.168.1.109

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

    config firewall access-proxy

    edit "fortipam_access_proxy"

    set vip "fortipam_vip"

    set client-cert enable

    config api-gateway

    edit 1

    set url-map "/pam"

    set service pam-service

    next

    edit 2

    set url-map "/tcp"

    set service tcp-forwarding

    config realservers

    edit 1

    set address "all"

    next

    end

    next

    edit 3

    set service gui

    config realservers

    edit 1

    set ip 127.0.0.1

    set port 80

    next

    end

    next

    end

    next

    end

    config firewall policy

    edit 1

    set type access-proxy

    set name "FortiPAM_Default"

    set srcintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set access-proxy "fortipam_access_proxy"

    set ztna-ems-tag "FCTEMS8822008307_Office_Windows_PC" "FCTEMS8822008307_MIS_Team"

    set groups "SSO_Guest_Users"

    set ssl-ssh-profile "deep-inspection"

    next

    end

CLI configuration for a user with browser extension-only solution example

In this example, users with IP address 192.168.1.2 access FortiPAM via the VIP 192.168.1.108 from an endpoint with no FortiClient installed or no match with the ZTNA policy in the previous example.

The firewall policy is more restrictive than the previous example and allows fewer source addresses. Also, you can set it up to allow access within a certain schedule only.

  1. In the CLI console, enter the following commands:

    config firewall vip

    edit "fortipam_vip-no-ztna"

    set type access-proxy

    set extip 192.168.1.108

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

    config firewall access-proxy

    edit "fortipam_access_proxy-no-ztna"

    set vip "fortipam_vip-no-ztna"

    config api-gateway

    edit 1

    set url-map "/pam"

    set service pam-service

    next

    edit 2

    set url-map "/tcp"

    set service tcp-forwarding

    config realservers

    edit 1

    set address "all"

    next

    end

    next

    edit 3

    set service gui

    config realservers

    edit 1

    set ip 127.0.0.1

    set port 80

    next

    end

    next

    end

    next

    end

    config firewall address

    edit "192.168.1.2"

    set subnet 192.168.1.2 255.255.255.255

    next

    end

    config firewall policy

    edit 2

    set type access-proxy

    set name "no ZTNA"

    set srcintf "any"

    set srcaddr "192.168.1.2"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set access-proxy "fortipam_access_proxy-no-ztna"

    set groups "SSO_Guest_Users"

    set ssl-ssh-profile "deep-inspection"

    next

    end

Previous
Next

ZTNA-based FortiPAM access control

When ZTNA control is enforced on FortiPAM, devices without FortiClient installed cannot access FortiPAM.

If you want to grant access to the user using the browser extension-only solution, you can create multiple ZTNA servers and ZTNA rules to achieve it.

GUI only supports basic ZTNA configuration. It is recommended to use CLI to configure additional ZTNA rules (config firewall policy) and ZTNA servers (config firewall access-proxy).

CLI configuration for a user from endpoint installed with FortiClient example

In this example, a user from an endpoint installed with FortiClient can access FortiPAM via VIP 192.168.1.109 provided that the endpoint contains FCTEMS8822008307_Office_Windows_PC or FCTEMS8822008307_MIS_Team ZTNA tag.

  1. In the CLI console, enter the following commands:

    config firewall vip

    edit "fortipam_vip"

    set type access-proxy

    set extip 192.168.1.109

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

    config firewall access-proxy

    edit "fortipam_access_proxy"

    set vip "fortipam_vip"

    set client-cert enable

    config api-gateway

    edit 1

    set url-map "/pam"

    set service pam-service

    next

    edit 2

    set url-map "/tcp"

    set service tcp-forwarding

    config realservers

    edit 1

    set address "all"

    next

    end

    next

    edit 3

    set service gui

    config realservers

    edit 1

    set ip 127.0.0.1

    set port 80

    next

    end

    next

    end

    next

    end

    config firewall policy

    edit 1

    set type access-proxy

    set name "FortiPAM_Default"

    set srcintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set access-proxy "fortipam_access_proxy"

    set ztna-ems-tag "FCTEMS8822008307_Office_Windows_PC" "FCTEMS8822008307_MIS_Team"

    set groups "SSO_Guest_Users"

    set ssl-ssh-profile "deep-inspection"

    next

    end

CLI configuration for a user with browser extension-only solution example

In this example, users with IP address 192.168.1.2 access FortiPAM via the VIP 192.168.1.108 from an endpoint with no FortiClient installed or no match with the ZTNA policy in the previous example.

The firewall policy is more restrictive than the previous example and allows fewer source addresses. Also, you can set it up to allow access within a certain schedule only.

  1. In the CLI console, enter the following commands:

    config firewall vip

    edit "fortipam_vip-no-ztna"

    set type access-proxy

    set extip 192.168.1.108

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

    config firewall access-proxy

    edit "fortipam_access_proxy-no-ztna"

    set vip "fortipam_vip-no-ztna"

    config api-gateway

    edit 1

    set url-map "/pam"

    set service pam-service

    next

    edit 2

    set url-map "/tcp"

    set service tcp-forwarding

    config realservers

    edit 1

    set address "all"

    next

    end

    next

    edit 3

    set service gui

    config realservers

    edit 1

    set ip 127.0.0.1

    set port 80

    next

    end

    next

    end

    next

    end

    config firewall address

    edit "192.168.1.2"

    set subnet 192.168.1.2 255.255.255.255

    next

    end

    config firewall policy

    edit 2

    set type access-proxy

    set name "no ZTNA"

    set srcintf "any"

    set srcaddr "192.168.1.2"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set access-proxy "fortipam_access_proxy-no-ztna"

    set groups "SSO_Guest_Users"

    set ssl-ssh-profile "deep-inspection"

    next

    end

Previous
Next