ZTNA-based FortiPAM access control
When ZTNA control is enforced on FortiPAM, devices without FortiClient installed cannot access FortiPAM.
If you want to grant access to the user using the browser extension-only solution, you can create multiple ZTNA servers and ZTNA rules to achieve it. |
GUI only supports basic ZTNA configuration. It is recommended to use CLI to configure additional ZTNA rules ( |
CLI configuration for a user from endpoint installed with FortiClient example
In this example, a user from an endpoint installed with FortiClient can access FortiPAM via VIP 192.168.1.109
provided that the endpoint contains FCTEMS8822008307_Office_Windows_PC
or FCTEMS8822008307_MIS_Team
ZTNA tag.
-
In the CLI console, enter the following commands:
config firewall vip
edit "fortipam_vip"
set type access-proxy
set extip 192.168.1.109
set extintf "any"
set server-type https
set extport 443
set ssl-certificate "Fortinet_SSL"
next
end
config firewall access-proxy
edit "fortipam_access_proxy"
set vip "fortipam_vip"
set client-cert enable
config api-gateway
edit 1
set url-map "/pam"
set service pam-service
next
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "all"
next
end
next
edit 3
set service gui
config realservers
edit 1
set ip 127.0.0.1
set port 80
next
end
next
end
next
end
config firewall policy
edit 1
set type access-proxy
set name "FortiPAM_Default"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy"
set ztna-ems-tag "FCTEMS8822008307_Office_Windows_PC" "FCTEMS8822008307_MIS_Team"
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end
CLI configuration for a user with browser extension-only solution example
In this example, users with IP address 192.168.1.2
access FortiPAM via the VIP 192.168.1.108
from an endpoint with no FortiClient installed or no match with the ZTNA policy in the previous example.
The firewall policy is more restrictive than the previous example and allows fewer source addresses. Also, you can set it up to allow access within a certain schedule only.
-
In the CLI console, enter the following commands:
config firewall vip
edit "fortipam_vip-no-ztna"
set type access-proxy
set extip 192.168.1.108
set extintf "any"
set server-type https
set extport 443
set ssl-certificate "Fortinet_SSL"
next
end
config firewall access-proxy
edit "fortipam_access_proxy-no-ztna"
set vip "fortipam_vip-no-ztna"
config api-gateway
edit 1
set url-map "/pam"
set service pam-service
next
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "all"
next
end
next
edit 3
set service gui
config realservers
edit 1
set ip 127.0.0.1
set port 80
next
end
next
end
next
end
config firewall address
edit "192.168.1.2"
set subnet 192.168.1.2 255.255.255.255
next
end
config firewall policy
edit 2
set type access-proxy
set name "no ZTNA"
set srcintf "any"
set srcaddr "192.168.1.2"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy-no-ztna"
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end