ZTNA tag control example
To add ZTNA tag control using the CLI:
In the access proxy, client-cert
must be enabled. You can use ztna-ems-tag
to give FortiPAM access to endpoints with this tag.
- In the CLI console enter the following commands:
config firewall access-proxy
edit "fortipam_access_proxy"
set vip "fortipam_vip"
set client-cert enable #Must be enabled
config api-gateway
edit 1
set url-map "/pam"
set service pam-service
next
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "all"
next
end
next
edit 3
set service gui
config realservers
edit 1
set ip 127.0.0.1
set port 80
next
end
next
end
next
end
config firewall policy
edit 1
set type access-proxy
set name "FortiPAM_Default"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy"
set ztna-ems-tag "FCTEMS8822002925_pam-ems-tag-office" #Only endpoints with this tag can access FortiPAM
set utm-status enable
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end