Fortinet black logo

Administration Guide

Configuring a ZTNA Profile

Configuring a ZTNA Profile

The ZTNA Profile is the ZTNA policy used to enforce access control to HTTPS virtual servers. ZTNA profiles consist of one or more ZTNA rules that determine the Source IP and ZTNA tags that are allowed to access, and the resulting action to take.

After you have created a ZTNA profile, you can reference the ZTNA profile in an HTTPS server policy.

Before you begin:
  • You must have registered the FortiWeb device through the FortiClient EMS connector. For more information, see Zero Trust Network Access (ZTNA) and Configuring FortiClient EMS Connector for ZTNA.
  • Verify if the ZTNA tags are shown in the Zero Trust Access > ZTNA Profile > ZTNA Tags tab in FortiWeb's GUI. These tags are automatically synchronized from FortiClient EMS.
  • You must have Read-Write permission for Server Policy configuration.
  • You must have enabled ZTNA in System > Config > Feature Visibility.
To create and configure a ZTNA rule:
  1. Go to Zero Trust Access > ZTNA Profile, then select the ZTNA Rule tab.
  2. Click Create New to display the configuration editor.
  3. Enter a name for the rule.
  4. Select the action that FortiWeb will take if the request matches the conditions.
    1. Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    2. Deny (no log)—Block the request (or reset the connection).
    3. Accept—Allow the request. Do not generate an alert and/or log message.
  5. Click OK.
  6. Click Add Condition.
  7. Configure if the request should match the Source IP, GEO IP, or ZTNA tags.
  8. g

    Parameter

    Description

    Source IP

    If source IP is selected, you need to enter one of the following values in Source IPv4/IPv6/IP Range:

    • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 192.0.2.109).
    • A range of addresses (e.g., 192.0.2.1-192.0.2.256 or 10:200::10:1-10:200:10:100).

    GEO IP

  9. Select the countries to match. FortiWeb matches the traffic from the countries you select.
  10. ZTNA Tags

    Select the ZTNA tags to match.

    All means the request only matches if it has all tags specified; Any means the request matches if it has any of the tags specified.

  11. Click OK.

Repeat the steps above if you want to add more conditions.

If multiple conditions are added in one ZTNA rule, the matching logic is:

  • For conditions in different types (Source IP, GEO and ZTNA Tags), their relationship is ALL.

  • For conditions in the same type, their relationship is OR.

If a request matches with the conditions specified in the rule, FortiWeb will take corresponding actions specified in the rule.

The ZTNA rule should be referenced in a ZTNA profile.

To create and configure a ZTNA profile:

  1. Go to Zero Trust Access > ZTNA Profile, then select the ZTNA Profile tab.
  2. Click Create New to display the configuration editor.
  3. Enter a name for the profile.
  4. Select the default action that FortiWeb will take if the request matches the rules.
    1. Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    2. Deny (no log)—Block the request (or reset the connection).
    3. Accept—Allow the request. Do not generate an alert and/or log message.
  5. Click OK.
  6. Click Create new.
  7. Select the ZTNA rule you have created.
  8. Click OK.
  9. Repeat the steps above to add multiple rules.

If multiple conditions are added in one ZTNA rule, the matching logic is:

  • The rules are matched from the top to the bottom.

  • Once a rule is matched, all the rules below it will be skipped.

If a request matches a rule, the action specified in the rule will be taken.

If a request doesn't match any of the rules, the default action specified in the profile will be taken.

Apply the ZTNA profile to a server policy. Ensure the corresponding Client SSL profile is enabled for client certificate verification. For details, see Configuring virtual servers and Configuring client SSL profiles.

Configuring a ZTNA Profile

The ZTNA Profile is the ZTNA policy used to enforce access control to HTTPS virtual servers. ZTNA profiles consist of one or more ZTNA rules that determine the Source IP and ZTNA tags that are allowed to access, and the resulting action to take.

After you have created a ZTNA profile, you can reference the ZTNA profile in an HTTPS server policy.

Before you begin:
  • You must have registered the FortiWeb device through the FortiClient EMS connector. For more information, see Zero Trust Network Access (ZTNA) and Configuring FortiClient EMS Connector for ZTNA.
  • Verify if the ZTNA tags are shown in the Zero Trust Access > ZTNA Profile > ZTNA Tags tab in FortiWeb's GUI. These tags are automatically synchronized from FortiClient EMS.
  • You must have Read-Write permission for Server Policy configuration.
  • You must have enabled ZTNA in System > Config > Feature Visibility.
To create and configure a ZTNA rule:
  1. Go to Zero Trust Access > ZTNA Profile, then select the ZTNA Rule tab.
  2. Click Create New to display the configuration editor.
  3. Enter a name for the rule.
  4. Select the action that FortiWeb will take if the request matches the conditions.
    1. Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    2. Deny (no log)—Block the request (or reset the connection).
    3. Accept—Allow the request. Do not generate an alert and/or log message.
  5. Click OK.
  6. Click Add Condition.
  7. Configure if the request should match the Source IP, GEO IP, or ZTNA tags.
  8. g

    Parameter

    Description

    Source IP

    If source IP is selected, you need to enter one of the following values in Source IPv4/IPv6/IP Range:

    • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 192.0.2.109).
    • A range of addresses (e.g., 192.0.2.1-192.0.2.256 or 10:200::10:1-10:200:10:100).

    GEO IP

  9. Select the countries to match. FortiWeb matches the traffic from the countries you select.
  10. ZTNA Tags

    Select the ZTNA tags to match.

    All means the request only matches if it has all tags specified; Any means the request matches if it has any of the tags specified.

  11. Click OK.

Repeat the steps above if you want to add more conditions.

If multiple conditions are added in one ZTNA rule, the matching logic is:

  • For conditions in different types (Source IP, GEO and ZTNA Tags), their relationship is ALL.

  • For conditions in the same type, their relationship is OR.

If a request matches with the conditions specified in the rule, FortiWeb will take corresponding actions specified in the rule.

The ZTNA rule should be referenced in a ZTNA profile.

To create and configure a ZTNA profile:

  1. Go to Zero Trust Access > ZTNA Profile, then select the ZTNA Profile tab.
  2. Click Create New to display the configuration editor.
  3. Enter a name for the profile.
  4. Select the default action that FortiWeb will take if the request matches the rules.
    1. Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    2. Deny (no log)—Block the request (or reset the connection).
    3. Accept—Allow the request. Do not generate an alert and/or log message.
  5. Click OK.
  6. Click Create new.
  7. Select the ZTNA rule you have created.
  8. Click OK.
  9. Repeat the steps above to add multiple rules.

If multiple conditions are added in one ZTNA rule, the matching logic is:

  • The rules are matched from the top to the bottom.

  • Once a rule is matched, all the rules below it will be skipped.

If a request matches a rule, the action specified in the rule will be taken.

If a request doesn't match any of the rules, the default action specified in the profile will be taken.

Apply the ZTNA profile to a server policy. Ensure the corresponding Client SSL profile is enabled for client certificate verification. For details, see Configuring virtual servers and Configuring client SSL profiles.