ZTNA tag control example
To add a ZTNA tag control:
- Go to System > ZTNA and select the ZTNA Servers tab.
- Select the default fortipam_access_proxy server and click Edit.
- In Client Certificate, select Enable.
- Click OK.
After enabling Client Certificate, you are required to log in again.
- In the certificate check pop-up that appears, click OK.
- Log in to FortiPAM.
- Go to System > ZTNA and select the ZTNA Rules tab.
- Select the default FortiPAM_Default rule and click Edit.
- In ZTNA Tag, add the ZTNA tags or tag groups that are allowed access.
You can choose whether to match all the tags or any by selecting All or Any for Match ZTNA tags.
Only endpoints with the added tags can access FortiPAM.
- Click OK.
On the ZTNA Tags tab, you can find all the ZTNA tags from EMS server and create ZTNA tag group.
To add ZTNA tag control using the CLI:
In the access proxy, client-cert must be enabled. You can use ztna-ems-tag to give FortiPAM access to endpoints with this tag.
- In the CLI console enter the following commands:
config firewall access-proxy
edit "fortipam_access_proxy"
set vip "fortipam_vip"
set client-cert enable <---
config api-gateway
edit 1
set url-map "/pam"
set service pam-service
next
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "all"
next
end
next
edit 3
set service gui
config realservers
edit 1
set ip 127.0.0.1
set port 80
next
end
next
end
next
end
config firewall policy
edit 1
set type access-proxy
set name "FortiPAM_Default"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy"
set ztna-ems-tag "FCTEMS8822002925_pam-ems-tag-office" <---
set utm-status enable
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end