NetQuiet

Configure ZTNA on FortiGate 7.4

What

Zero Trust Network Access (ZTNA) is an access control method that uses client device identification, authentication, and security posture tags (formerly ZTNA tags) to provide role-based application access. It gives administrators the flexibility to manage network access for On-net local users and Off-net remote users. Access to applications is granted only after device verification, authenticating the user’s identity, authorizing the user, and then performing context-based posture checks using security posture tags.

Why

Traditionally, a user and a device have different sets of rules for on-net access and off-net VPN access to company resources. With a distributed workforce and access that spans company networks, data centers, and cloud, managing the rules can become complex. User experience is also affected when multiple VPNs are needed to get to various resources. ZTNA can improve this experience.

Requirements

  • FortiClient EMS fabric connector and security posture tags.
  • FortiClient EMS running version 7.0.0 or later or FortiClient EMS Cloud.
  • FortiClient running 7.0.0 or later.
  • ZTNA server
  • ZTNA policy

Step 1: Connecting EMS and FortiGate

Decide which ZTNA forwarding method to use

  • SSH access proxy
  • HTTPS access proxy
  • TCP forwarding access proxy (TFAP)

Diagram:

Step 1.

Connect FortiGate to EMS

I am using FortiClient Cloud EMS so the steps we are going to take are:

config endpoint-control fctems
    edit <name>
        set fortinetone-cloud-authentication enable
        set certificate <string>
    next
end

That didn’t work for me on 7.4 so I did it on the GUI.

Security Fabric -> Fabric Connectors -> FortiClient EMS

Then authorized on FortiClient EMS Cloud

Time to show ZTNA features on the FortiGate:

After enabling we should see tags from the authorized EMS

Step 2: Configure ZTNA server

We have a Corp Server at 172.16.1.4 that we will access using HTTP.

First, we configure the ZTNA server

config firewall access-proxy
    edit "Corp Server"
        set vip "Corp Server"
        config api-gateway
            edit 1
                set service http
                config realservers
                    edit 1
                        set ip 172.16.1.4
                        set port 80
                    next
                end
            next
        end
    next
end

Second, we configure the firewall policy:

config firewall policy
    edit 1
        set name "Allow FortiClient to Corp"
        set uuid 34be53cc-68b6-51ef-6600-51407bbbc35f
        set srcintf "port1"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "Corp Server"
        set ztna-ems-tag "EMS1_ZTNA_all_registered_clients"
        set schedule "always"
        set utm-status enable
        set av-profile "default"
        set ips-sensor "default"
        set logtraffic all
        set nat enable
    next
end

But it’s still not showing up in my EMS

Step 3: Configure EMS profile

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter.

Sign Up to our newsletter to know about all the latest updates.

Sign Up