ZTNA-based FortiPAM access control
When ZTNA control is enforced on FortiPAM, devices without FortiClient installed cannot access FortiPAM.
If you want to grant access to the user using the browser extension-only solution, you can create multiple proxy rules to achieve this. See CLI configuration for a user with browser extension-only solution example. |
Enable ZTNA control to only allow endpoints with selected tags to access FortiPAM
To enable ZTNA control:
- Go to System > ZTNA.
- In the proxy rules list, select the FortiPAM_Default proxy rule and then select Edit.
- Enable ZTNA Control.
- In ZTNA Tag, add the ZTNA tags or tag groups that are allowed access.
When selecting ZTNA tags, you can view all the ZTNA tags from the EMS server.
- Click OK.
- From the user dropdown on the top-right, select Logout.
- When attempting to log in, a certificate check appears on the browser.
Click OK to proceed with logging in to FortiPAM.
CLI configuration for a user from endpoint installed with FortiClient (multiple proxy rules) example
In this example, a user from an endpoint installed with FortiClient can access FortiPAM via VIP 192.168.1.109
provided that the endpoint contains FCTEMS8822008307_Office_Windows_PC
or FCTEMS8822008307_MIS_Team
ZTNA tag.
-
In the CLI console, enter the following commands:
config firewall vip
edit "fortipam_vip"
set type access-proxy
set extip 192.168.1.109
set extintf "any"
set server-type https
set extport 443
set ssl-certificate "Fortinet_SSL"
next
end
config firewall access-proxy
edit "fortipam_access_proxy"
set vip "fortipam_vip"
set client-cert enable
config api-gateway
edit 1
set url-map "/pam"
set service pam-service
next
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "all"
next
end
next
edit 3
set service gui
config realservers
edit 1
set ip 127.0.0.1
set port 80
next
end
next
end
next
end
config firewall policy
edit 1
set type access-proxy
set name "FortiPAM_Default"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy"
set ztna-ems-tag "FCTEMS8822008307_Office_Windows_PC" "FCTEMS8822008307_MIS_Team"
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end
CLI configuration for a user with browser extension-only solution example
In this example, users with IP address 192.168.1.2
access FortiPAM via the VIP 192.168.1.108
from an endpoint with no FortiClient installed or no match with the ZTNA policy in the previous example.
The firewall policy is more restrictive than the previous example and allows fewer source addresses. Two VIPs are required for this setup. Also, you can set it up to allow access within a certain schedule only.
The access-proxy
setting links to the name of the corresponding firewall access-proxy. The VIP setting links to the name of the corresponding firewall VIP. The VIP represents the FortiPAM ZTNA gateway to which clients make HTTPS connections. The service/server mappings define the virtual host matching rules and the actual server mappings of the HTTPS requests. When creating an access proxy, it is recommended to copy the default access proxy and modify only the VIP and client-cert
settings to ensure proper configuration.
-
In the CLI console, enter the following commands:
config firewall vip
edit "fortipam_vip-no-ztna"
set type access-proxy
set extip 192.168.1.108
set extintf "any"
set server-type https
set extport 443
set ssl-certificate "Fortinet_SSL"
next
end
config firewall access-proxy
edit "fortipam_access_proxy-no-ztna"
set vip "fortipam_vip-no-ztna"
config api-gateway
edit 1
set url-map "/pam"
set service pam-service
next
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "all"
next
end
next
edit 3
set service gui
config realservers
edit 1
set ip 127.0.0.1
set port 80
next
end
next
end
next
end
config firewall address
edit "192.168.1.2"
set subnet 192.168.1.2 255.255.255.255
next
end
config firewall policy
edit 2
set type access-proxy
set name "no ZTNA"
set srcintf "any"
set srcaddr "192.168.1.2"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy-no-ztna"
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end