Fortinet black logo

Administration Guide

Home FortiPAM 1.2.0 Administration Guide
1.2.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

ZTNA-based FortiPAM access control

ZTNA-based FortiPAM access control

When ZTNA control is enforced on FortiPAM, devices without FortiClient installed cannot access FortiPAM.

If you want to grant access to the user using the browser extension-only solution, you can create multiple proxy rules to achieve this. See CLI configuration for a user with browser extension-only solution example.

Enable ZTNA control to only allow endpoints with selected tags to access FortiPAM

To enable ZTNA control:
  1. Go to System > ZTNA.
  2. In the proxy rules list, select the FortiPAM_Default proxy rule and then select Edit.
  3. Enable ZTNA Control.
  4. In ZTNA Tag, add the ZTNA tags or tag groups that are allowed access.

    When selecting ZTNA tags, you can view all the ZTNA tags from the EMS server.

  5. Click OK.
  6. From the user dropdown on the top-right, select Logout.
  7. When attempting to log in, a certificate check appears on the browser.

    Click OK to proceed with logging in to FortiPAM.

CLI configuration for a user from endpoint installed with FortiClient (multiple proxy rules) example

In this example, a user from an endpoint installed with FortiClient can access FortiPAM via VIP 192.168.1.109 provided that the endpoint contains FCTEMS8822008307_Office_Windows_PC or FCTEMS8822008307_MIS_Team ZTNA tag.

  1. In the CLI console, enter the following commands:

    config firewall vip

    edit "fortipam_vip"

    set type access-proxy

    set extip 192.168.1.109

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

    config firewall access-proxy

    edit "fortipam_access_proxy"

    set vip "fortipam_vip"

    set client-cert enable

    config api-gateway

    edit 1

    set url-map "/pam"

    set service pam-service

    next

    edit 2

    set url-map "/tcp"

    set service tcp-forwarding

    config realservers

    edit 1

    set address "all"

    next

    end

    next

    edit 3

    set service gui

    config realservers

    edit 1

    set ip 127.0.0.1

    set port 80

    next

    end

    next

    end

    next

    end

    config firewall policy

    edit 1

    set type access-proxy

    set name "FortiPAM_Default"

    set srcintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set access-proxy "fortipam_access_proxy"

    set ztna-ems-tag "FCTEMS8822008307_Office_Windows_PC" "FCTEMS8822008307_MIS_Team"

    set groups "SSO_Guest_Users"

    set ssl-ssh-profile "deep-inspection"

    next

    end

CLI configuration for a user with browser extension-only solution example

In this example, users with IP address 192.168.1.2 access FortiPAM via the VIP 192.168.1.108 from an endpoint with no FortiClient installed or no match with the ZTNA policy in the previous example.

The firewall policy is more restrictive than the previous example and allows fewer source addresses. Two VIPs are required for this setup. Also, you can set it up to allow access within a certain schedule only.

The access-proxy setting links to the name of the corresponding firewall access-proxy. The VIP setting links to the name of the corresponding firewall VIP. The VIP represents the FortiPAM ZTNA gateway to which clients make HTTPS connections. The service/server mappings define the virtual host matching rules and the actual server mappings of the HTTPS requests. When creating an access proxy, it is recommended to copy the default access proxy and modify only the VIP and client-cert settings to ensure proper configuration.

  1. In the CLI console, enter the following commands:

    config firewall vip

    edit "fortipam_vip-no-ztna"

    set type access-proxy

    set extip 192.168.1.108

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

    config firewall access-proxy

    edit "fortipam_access_proxy-no-ztna"

    set vip "fortipam_vip-no-ztna"

    config api-gateway

    edit 1

    set url-map "/pam"

    set service pam-service

    next

    edit 2

    set url-map "/tcp"

    set service tcp-forwarding

    config realservers

    edit 1

    set address "all"

    next

    end

    next

    edit 3

    set service gui

    config realservers

    edit 1

    set ip 127.0.0.1

    set port 80

    next

    end

    next

    end

    next

    end

    config firewall address

    edit "192.168.1.2"

    set subnet 192.168.1.2 255.255.255.255

    next

    end

    config firewall policy

    edit 2

    set type access-proxy

    set name "no ZTNA"

    set srcintf "any"

    set srcaddr "192.168.1.2"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set access-proxy "fortipam_access_proxy-no-ztna"

    set groups "SSO_Guest_Users"

    set ssl-ssh-profile "deep-inspection"

    next

    end

Previous
Next

ZTNA-based FortiPAM access control

When ZTNA control is enforced on FortiPAM, devices without FortiClient installed cannot access FortiPAM.

If you want to grant access to the user using the browser extension-only solution, you can create multiple proxy rules to achieve this. See CLI configuration for a user with browser extension-only solution example.

Enable ZTNA control to only allow endpoints with selected tags to access FortiPAM

To enable ZTNA control:
  1. Go to System > ZTNA.
  2. In the proxy rules list, select the FortiPAM_Default proxy rule and then select Edit.
  3. Enable ZTNA Control.
  4. In ZTNA Tag, add the ZTNA tags or tag groups that are allowed access.

    When selecting ZTNA tags, you can view all the ZTNA tags from the EMS server.

  5. Click OK.
  6. From the user dropdown on the top-right, select Logout.
  7. When attempting to log in, a certificate check appears on the browser.

    Click OK to proceed with logging in to FortiPAM.

CLI configuration for a user from endpoint installed with FortiClient (multiple proxy rules) example

In this example, a user from an endpoint installed with FortiClient can access FortiPAM via VIP 192.168.1.109 provided that the endpoint contains FCTEMS8822008307_Office_Windows_PC or FCTEMS8822008307_MIS_Team ZTNA tag.

  1. In the CLI console, enter the following commands:

    config firewall vip

    edit "fortipam_vip"

    set type access-proxy

    set extip 192.168.1.109

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

    config firewall access-proxy

    edit "fortipam_access_proxy"

    set vip "fortipam_vip"

    set client-cert enable

    config api-gateway

    edit 1

    set url-map "/pam"

    set service pam-service

    next

    edit 2

    set url-map "/tcp"

    set service tcp-forwarding

    config realservers

    edit 1

    set address "all"

    next

    end

    next

    edit 3

    set service gui

    config realservers

    edit 1

    set ip 127.0.0.1

    set port 80

    next

    end

    next

    end

    next

    end

    config firewall policy

    edit 1

    set type access-proxy

    set name "FortiPAM_Default"

    set srcintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set access-proxy "fortipam_access_proxy"

    set ztna-ems-tag "FCTEMS8822008307_Office_Windows_PC" "FCTEMS8822008307_MIS_Team"

    set groups "SSO_Guest_Users"

    set ssl-ssh-profile "deep-inspection"

    next

    end

CLI configuration for a user with browser extension-only solution example

In this example, users with IP address 192.168.1.2 access FortiPAM via the VIP 192.168.1.108 from an endpoint with no FortiClient installed or no match with the ZTNA policy in the previous example.

The firewall policy is more restrictive than the previous example and allows fewer source addresses. Two VIPs are required for this setup. Also, you can set it up to allow access within a certain schedule only.

The access-proxy setting links to the name of the corresponding firewall access-proxy. The VIP setting links to the name of the corresponding firewall VIP. The VIP represents the FortiPAM ZTNA gateway to which clients make HTTPS connections. The service/server mappings define the virtual host matching rules and the actual server mappings of the HTTPS requests. When creating an access proxy, it is recommended to copy the default access proxy and modify only the VIP and client-cert settings to ensure proper configuration.

  1. In the CLI console, enter the following commands:

    config firewall vip

    edit "fortipam_vip-no-ztna"

    set type access-proxy

    set extip 192.168.1.108

    set extintf "any"

    set server-type https

    set extport 443

    set ssl-certificate "Fortinet_SSL"

    next

    end

    config firewall access-proxy

    edit "fortipam_access_proxy-no-ztna"

    set vip "fortipam_vip-no-ztna"

    config api-gateway

    edit 1

    set url-map "/pam"

    set service pam-service

    next

    edit 2

    set url-map "/tcp"

    set service tcp-forwarding

    config realservers

    edit 1

    set address "all"

    next

    end

    next

    edit 3

    set service gui

    config realservers

    edit 1

    set ip 127.0.0.1

    set port 80

    next

    end

    next

    end

    next

    end

    config firewall address

    edit "192.168.1.2"

    set subnet 192.168.1.2 255.255.255.255

    next

    end

    config firewall policy

    edit 2

    set type access-proxy

    set name "no ZTNA"

    set srcintf "any"

    set srcaddr "192.168.1.2"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set access-proxy "fortipam_access_proxy-no-ztna"

    set groups "SSO_Guest_Users"

    set ssl-ssh-profile "deep-inspection"

    next

    end

Previous
Next