FortiOS-7.2-ZTNA Reference Guide

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

ZTNA Reference Guide

FortiOS 7.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE


https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT


https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM


https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT


https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

August 04, 2022


FortiOS 7.2 ZTNA Reference Guide
01-720-828971-20220804
TABLE OF CONTENTS

Introduction 4
Endpoint posture check 5
Recommended posture checks 5
Other posture checks 6
CASB SaaS application support 9
Change log 11

FortiOS 7.2 ZTNA Reference Guide 3


Fortinet Inc.
Introduction

Zero trust network access (ZTNA) is an access control method that uses client device identification, authentication, and
zero trust tags to provide role-based application access. It gives administrators the flexibility to manage network access
for on-net local users and off-net remote users. Access to applications is granted only after device verification,
authenticating the user’s identity, authorizing the user, and then performing context based posture checks using zero
trust tags.
This document provides reference information for ZTNA.

FortiOS 7.2 ZTNA Reference Guide 4


Fortinet Inc.
Endpoint posture check

The following are different context-based posture checks that FortiClient EMS supports as part of the Zero Trust
solution:

Recommended posture checks

For vulnerable devices, checking for devices with high-risk vulnerabilities and above is recommended.

Supported operating
Rule type Posture check
systems

Critical Windows, macOS, Linux

High or higher Windows, macOS, Linux


Vulnerable devices
Medium or higher Windows, macOS, Linux

Low or higher Windows, macOS, Linux

AV software is installed and running. For


Windows, this feature supports third party AV
applications. For macOS and Linux, this feature
Windows, macOS, Linux
Antivirus (AV) software can only check if FortiClient AV protection is
enabled and does not recognize third party AV
applications.

AV signature is up-to-date Windows, macOS, Linux

Windows Defender is enabled Windows

Bitlocker Disk Encryption is enabled Windows

Windows security Exploit Guard is enabled Windows

Application Guard is enabled Windows

Windows Firewall is enabled Windows

Security FileVault Disk Encryption is enabled macOS

FortiClient installed and Telemetry is connected to Windows, macOS, Linux, iOS,


EMS management
EMS Android

Common vulnerabilities and Windows, macOS, Linux, iOS,


Presence of [CVE]
exposures (CVE) Android

Windows, macOS, Linux, iOS,


Firewall threat Presence of [Firewall threat ID]
Android

FortiOS 7.2 ZTNA Reference Guide 5


Fortinet Inc.
Endpoint posture check

Other posture checks

Rule type Posture check Supported operating systems

Active Directory (AD) group Member of [AD Group] Windows, macOS

Certificate contains [Subject CN] and


Certificate Windows, macOS, Linux
[Issuer CN]

File Presence of [File] Windows, macOS, Linux

Windows, macOS, Linux, IOS,


IP range Device in the [IP Range]
Android

Logged in domain Member of [Domain] Windows, macOS

Windows, macOS, Linux, IOS,


On-Fabric status On-Fabric
Android

FortiOS 7.2 ZTNA Reference Guide 6


Fortinet Inc.
Endpoint posture check

Rule type Posture check Supported operating systems

Windows Server 2022 Windows

Windows Server 2019 Windows

Windows Server 2016 Windows

Windows Server 2012 R2 Windows

Windows Server 2012 Windows

Windows Server 2008 R2 Windows

Windows 11 Windows

Windows 10 Windows

Windows 8.1 Windows

Windows 8 Windows

Windows 7 Windows

Mojave macOS

High Sierra macOS

Sierra macOS
OS version Catalina macOS

Big Sur macOS

Monterey macOS

CentOS 7.5 Linux

CentOS 7.4 Linux

CentOS 8 Linux

Red Hat 7.6 Linux

Red Hat 7.5 Linux

Red Hat 7.4 Linux

Red Hat 8 Linux

Red Hat 8.1 Linux

Ubuntu 18.04 Linux

iOS 9, 10, 11, 12, 13, 14 iOS

Android 5, 6, 7, 8, 9, 10, 11 Android

Registry key [Registry Key] Windows

FortiOS 7.2 ZTNA Reference Guide 7


Fortinet Inc.
Endpoint posture check

Rule type Posture check Supported operating systems

Running process Presence of [Running Process] Windows, macOS, Linux

Sandbox detected malware in last 7


Sandbox detection Windows, macOS
days

Windows, macOS, Linux, iOS,


User-specified
Android
User identity
Windows, macOS, Linux, iOS,
Social network login
Android

Windows, macOS, Linux, iOS,


Verified user
Android

FortiOS 7.2 ZTNA Reference Guide 8


Fortinet Inc.
CASB SaaS application support

You can configure the FortiGate zero trust network access (ZTNA) access proxy to act as an inline cloud access security
broker (CASB) by providing access control to software-as-a-service (SaaS) traffic using ZTNA access control rules. A
CASB sits between users and their cloud service to enforce security policies as they access cloud-based resources.
FortiOS 7.2.1 and later versions support ZTNA inline CASB for SaaS application access. This topic provides information
on the supported applications.
The inline CASB database, as of version 1.00025, supports the following SaaS applications:

ZTNA access proxy application name SaaS application

adobe Adobe services domains

adp ADP

atlassian Atlassian

aws_s3 AWS S3

azure Azure

box Box

citrix Citrix

confluence Confluence

docusign DocuSign

dropbox Dropbox

egnyte Egnyte

github GitHub

gmail Gmail

google_cloud Google Cloud

google_drive Google Drive

google_office Google Office

google-web Google Web Search domains

jira Jira

ms_excel Microsoft Excel

ms_exchange Microsoft Exchange

ms_onedrive Microsoft OneDrive

ms_outlook Microsoft Outlook

ms_powerpoint Microsoft PowerPoint

FortiOS 7.2 ZTNA Reference Guide 9


Fortinet Inc.
CASB SaaS application support

ZTNA access proxy application name SaaS application

ms_teams Microsoft Teams

ms_word Microsoft Word

salesforce Salesforce

sap SAP

sharepoint SharePoint

webex Webex

workplace Workplace

youtube YouTube

zendesk Zendesk

zoom Zoom

The inline CASB database, as of version 1.00025, supports the following SaaS application groups:

ZTNA access proxy application name SaaS application group

Google Google SaaS

MS Microsoft SaaS

FortiOS 7.2 ZTNA Reference Guide 10


Fortinet Inc.
Change log

Date Change Description

2022-08-04 Initial release.

FortiOS 7.2 ZTNA Reference Guide 11


Fortinet Inc.
www.fortinet.com

Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

You might also like