FortiOS 7.0.0 New - Features - Guide 360 499
Uploaded by
rohitssb6FortiOS 7.0.0 New - Features - Guide 360 499
Uploaded by
rohitssb6Policy and Objects
This section includes information about policy and object related new features:
l Zero Trust Network Access on page 360
l NGFW on page 476
l Policies on page 479
l Objects on page 499
Zero Trust Network Access
This section includes information about ZTNA related new features:
l Zero Trust Network Access introduction on page 361
l Basic ZTNA configuration on page 363
l Establish device identity and trust context with FortiClient EMS on page 371
l SSL certificate based authentication on page 375
l ZTNA configuration examples on page 377
l ZTNA HTTPS access proxy example on page 377
l ZTNA HTTPS access proxy with basic authentication example on page 386
l ZTNA TCP forwarding access proxy example on page 392
l ZTNA proxy access with SAML authentication example on page 395
l ZTNA IP MAC filtering example on page 400
l ZTNA TCP forwarding access proxy without encryption example 7.0.1 on page 406
l ZTNA IPv6 examples 7.0.1 on page 410
l ZTNA SSH access proxy example 7.0.1 on page 416
l Migrating from SSL VPN to ZTNA HTTPS access proxy on page 424
l ZTNA troubleshooting and debugging on page 427
l ZTNA logging enhancements 7.0.1 on page 432
l Logical AND for ZTNA tag matching 7.0.2 on page 435
l Implicitly generate a firewall policy for a ZTNA rule 7.0.2 on page 439
l Posture check verification for active ZTNA proxy session 7.0.2 on page 444
l GUI support for multiple ZTNA features 7.0.2 on page 450
l Increase ZTNA and EMS tag limits 7.0.4 on page 453
l Use FQDN with ZTNA TCP forwarding access proxy 7.0.4 on page 454
l UTM scanning on TCP forwarding access proxy traffic 7.0.4 on page 457
l Connect a ZTNA access proxy to an SSL VPN web portal 7.0.4 on page 463
l ZTNA FortiView and log enhancements 7.0.4 on page 467
l ZTNA session-based form authentication 7.0.4 on page 469
l Using the IP pool or client IP address in a ZTNA connection to backend servers 7.0.6 on page 476
FortiOS 7.0.0 New Features Guide 360
Fortinet Inc.
Policy and Objects
Zero Trust Network Access introduction
Zero Trust Network Access (ZTNA) is an access control method that uses client device identification, authentication, and
Zero Trust tags to provide role-based application access. It gives administrators the flexibility to manage network access
for On-net local users and Off-net remote users. Access to applications is granted only after device verification,
authenticating the user’s identity, authorizing the user, and then performing context based posture checks using Zero
Trust tags.
Traditionally, a user and a device have different sets of rules for on-net access and off-net VPN access to company
resources. With a distributed workforce and access that spans company networks, data centers, and cloud, managing
the rules can become complex. User experience is also affected when multiple VPNs are needed to get to various
resources.
Full ZTNA and IP/MAC filtering
ZTNA has two modes: Full ZTNA and IP/MAC filtering:
l Full ZTNA allows users to securely access resources through a SSL encrypted access proxy. This simplifies remote
access by eliminating the use of VPNs.
l IP/MAC filtering uses ZTNA tags to provide an additional factor for identification and security posture check to
implement role-based zero trust access.
ZTNA telemetry, tags, and policy enforcement
When On-net and Off-net FortiClient endpoints register to FortiClient EMS, device information, log on user information,
and security posture are all shared over ZTNA telemetry with the EMS server. Clients also make a certificate signing
request to obtain a client certificate from the EMS that is acting as the ZTNA Certificate Authority (CA).
Based on the client information, EMS applies matching Zero Trust tagging rules to tag the clients. These tags, and the
client certificate information, are synchronized with the FortiGate in real-time. This allows the FortiGate to verify the
client's identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA rule.
For more information, see Establish device identity and trust context with FortiClient EMS on page 371.
FortiOS 7.0.0 New Features Guide 361
Fortinet Inc.
Policy and Objects
Access proxy
The FortiGate access proxy can proxy HTTP and TCP traffic over secure HTTPS connections with the client. This
enables seamless access from the client to the protected servers, without needing to form IPsec or SSL VPN tunnels.
HTTPS access proxy
The FortiGate HTTPS access proxy works as a reverse proxy for the HTTP server. When a client connects to a webpage
hosted by the protected server, the address resolves to the FortiGate’s access proxy VIP. The FortiGate proxies the
connection and takes steps to authenticate the user. It prompts the user for their certificate on the browser, and verifies
this against the ZTNA endpoint record that is synchronized from the EMS. If an authentication scheme, such as SAML
authentication, is configured, the client is redirected to a captive portal for sign-on. If this passes, traffic is allowed based
on the ZTNA rules, and the FortiGate returns the webpage to the client.
For example configurations, see ZTNA HTTPS access proxy example on page 377, ZTNA HTTPS access proxy with
basic authentication example on page 386, and ZTNA proxy access with SAML authentication example on page 395.
TCP forwarding access proxy (TFAP)
TCP forwarding access proxy works as a special type of HTTPS reverse proxy. Instead of proxying traffic to a web
server, TCP traffic is tunneled between the client and the access proxy over HTTPS, and forwarded to the protected
resource. The FortiClient endpoint configures the ZTNA connection by pointing to the proxy gateway, and then
specifying the destination host that it wants to reach. An HTTPS connection is made to the FortiGate’s access proxy VIP,
where the client certificate is verified and access is granted based on the ZTNA rules. TCP traffic is forwarded from the
FortiGate to the protected resource, and an end to end connection is established.
For an example configuration, see ZTNA TCP forwarding access proxy example on page 392.
Basic ZTNA configuration components
The basic that are require to configure full ZTNA on the FortiGate are:
1. FortiClient EMS fabric connector and ZTNA tags.
2. FortiClient EMS running version 7.0.0 or later.
FortiOS 7.0.0 New Features Guide 362
Fortinet Inc.
Policy and Objects
3. FortiClient running 7.0.0 or later.
4. ZTNA server
5. ZTNA rule
6. Firewall policy
For configuration details, see Basic ZTNA configuration on page 363.
Basic ZTNA configuration
To deploy full ZTNA, configure the following components on the FortiGate:
1. Configure a FortiClient EMS connector on page 363
2. Configure a ZTNA server on page 365
3. Configure a ZTNA rule on page 367
4. Configure a firewall policy for full ZTNA on page 368
5. Optional authentication on page 369
To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust
Network Access.
Configure a FortiClient EMS connector
To add an on-premise FortiClient EMS server in the GUI:
1. Go to Security Fabric > Fabric Connectors.
2. Click Create New and click FortiClient EMS.
3. Enter a name for the connector and the IP address or FQDN of the EMS.
4. Click OK.
5. A window appears to verify the EMS server certificate. Click Accept.
See FortiClient EMS for more information.
To add an on-premise FortiClient EMS server in the CLI:
config endpoint-control fctems
edit <name>
set server <server IP or domain>
next
end
ZTNA tags
After the FortiGate connects to the FortiClient EMS, it automatically synchronizes ZTNA tags.
FortiOS 7.0.0 New Features Guide 363
Fortinet Inc.
Policy and Objects
To view the synchronized ZTNA tags in the GUI:
1. Go to Policy & Objects > ZTNA and select the ZTNA Tags tab.
2. Hover the cursor over a tag name to view more information about the tag, such as its resolved addresses.
To create a ZTNA tag group in the GUI:
1. Go to Policy & Objects > ZTNA and select the ZTNA Tags tab.
2. Click Create New Group.
3. Enter a name for the group and select the group members.
4. Click OK.
FortiOS 7.0.0 New Features Guide 364
Fortinet Inc.
Policy and Objects
To view the synchronized ZTNA tags in the CLI:
# diagnose firewall dynamic address
# diagnose firewall dynamic list
To create a ZTNA tag group in the CLI:
config firewall addrgrp
edit <group name>
set category ztna-ems-tag
set member <members>
next
end
Configure a ZTNA server
To configure a ZTNA server, define the access proxy VIP and the real servers that clients will connect to. The access
proxy VIP is the FortiGate ZTNA gateway that clients make HTTPS connections to. The service/server mappings define
the virtual host matching rules and the real server mappings of the HTTPS requests.
To create a ZTNA server and access proxy VIP in the GUI:
1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Click Create New.
3. Enter a name for the server.
4. Select an external interface, enter the external IP address, and select the external port that the clients will connect
to.
5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy
VIP.
6. Add server mapping:
a. In the Service/server mapping table, click Create New.
b. Set Virtual Host to Any Host or Specify.
l Any Host: Any request that resolves to the access proxy VIP will be mapped to your real servers. For
example, if both www.example1.com and www.example2.com resolve to the VIP, then both requests are
mapped to your real servers.
FortiOS 7.0.0 New Features Guide 365
Fortinet Inc.
Policy and Objects
l Specify: Enter the name or IP address of the host that the request must match. For example, if
www.example1.com is entered as the host, then only requests to www.example1.com will match.
c. Configure the path as needed.
The path can be matched by substring, wildcard, or regular expression. For example, if the virtual host is
specified as www.example1.com, and the path substring is map1, then www.example1/map1 will be matched.
d. Add a server:
i. In the Servers table, click Create New.
ii. Enter the server IP address and port number.
iii. Set the server status.
iv. Click OK.
v. Add more servers as needed.
e. Click OK.
f. Add more server mappings as needed.
7. Click OK.
To create a ZTNA server and access proxy VIP in the CLI:
1. Configure an access proxy VIP:
config firewall vip
edit <name>
set type access-proxy
set extip <external IP>
set extintf <external interface>
set server-type { https | ssh }
set extport <external port>
set ssl-certificate <certificate>
next
end
2. If the virtual host is specified, configure the virtual host:
config firewall access-proxy-virtual-host
edit <auto generated when configured from GUI>
set ssl-certificate <certificate>
set host <host name or IP>
set host-type { sub-string | wildcard }
FortiOS 7.0.0 New Features Guide 366
Fortinet Inc.
Policy and Objects
next
end
3. Configure the server and path mapping:
config firewall access-proxy
edit <name>
set vip <vip name>
set client-cert { enable | disable }
set empty-cert-action { accept | block }
config api-gateway
edit 1
set url-map <mapped path>
set service { http | https | tcp-forwarding | samlsp }
set virtual-host <name of virtual-host if specified>
set url-map-type { sub-string | wildcard | regex }
config realservers
edit 1
set ip <ip of real server>
set port <port>
set status { active | standby | disable }
set health-check { enable | disable }
next
end
set ldb-method static
set persistence none
set ssl-dh-bits 2048
set ssl-algorithm high
set ssl-min-version tls-1.1
set ssl-max-version tls-1.3
next
end
next
end
The load balance method for the real servers can only be specified in the CLI.
Configure a ZTNA rule
A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero
trust role based access. Security profiles can be configured to protect this traffic.
To configure a ZTNA rule in the GUI:
1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Click Create New.
3. Enter a name for the rule.
4. Add the ZTNA tags or tag groups that are allowed access.
5. Select the ZTNA server.
FortiOS 7.0.0 New Features Guide 367
Fortinet Inc.
Policy and Objects
6. Configure the remaining options as needed.
7. Click OK.
To configure a ZTNA rule in the CLI:
config firewall proxy-policy
edit 1
set name <ZTNA rule name>
set proxy access-proxy
set access-proxy <access proxy>
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag <ZTNA tag(s)>
set action accept
set schedule "always"
set logtraffic all
set utm-status enable
set ssl-ssh-profile <inspection profile>
next
end
Configure a firewall policy for full ZTNA
The firewall policy matches and redirects client requests to the access proxy VIP. The source interface and addresses
that are allowed access to the VIP can be defined. By default, the destination is any interface, so once a policy is
configured for full ZTNA, the policy list will be organized by sequence.
UTM processing of the traffic happens at the ZTNA rule.
To configure a firewall policy for full ZTNA in the GUI:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Enter a name for the policy.
3. Enable ZTNA and select Full ZTNA.
FortiOS 7.0.0 New Features Guide 368
Fortinet Inc.
Policy and Objects
4. Set ZTNA Server to the configured ZTNA server.
5. Configure the remaining settings as needed.
6. Click OK.
To configure a firewall policy for full ZTNA in the CLI:
config firewall policy
edit <policy ID>
set name <policy name>
set srcintf <source interface>
set dstintf "any"
set srcaddr <source address>
set dstaddr <access proxy VIP>
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end
Optional authentication
To configure authentication to the access proxy, you must configure an authentication scheme and authentication rule in
the CLI. They are used to authenticate proxy-based policies, similar to configuring authentication for explicit and
transparent proxy.
FortiOS 7.0.0 New Features Guide 369
Fortinet Inc.
Policy and Objects
The authentication scheme defines the method of authentication that is applied. For ZTNA, basic HTTP and SAML
methods are supported. Each method has additional settings to define the data source to check against. For example,
with basic HTTP authentication, a user database can reference an LDAP server, RADIUS server, local database, or
other supported authentication servers that the user is authenticated against.
The authentication rule defines the proxy sources and destinations that require authentication, and which authentication
scheme to apply. For ZTNA, active authentication method is supported. The active authentication method references a
scheme where users are actively prompted for authentication, like with basic authentication.
After the authentication rule triggers the method to authenticate the user, a successful authentication returns the groups
that the user belongs to. In the ZTNA rule and proxy policy you can define a user or user group as the allowed source.
Only users that match that user or group are allowed through the proxy policy.
To configure a basic authentication scheme:
config authentication scheme
edit <name>
set method basic
set user-database <auth server>
next
end
To configure an authentication rule:
config authentication rule
edit <name>
set status enable
set protocol http
set srcintf <interface>
set srcaddr <address>
set dstaddr <address>
set ip-based enable
set active-auth-method <active auth scheme>
next
end
To apply a user group to a ZTNA rule in the GUI:
1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Edit an existing rule, or click Create New to create a new rule.
3. Click in the Source field, select the User tab, and select the users and user groups that will be allowed access.
4. Configure the remaining settings as required.
5. Click OK.
To apply a user group to a ZTNA rule in the CLI:
config firewall proxy-policy
edit <policy ID>
set name <ZTNA rule name>
set proxy access-proxy
set access-proxy <access proxy>
set srcaddr "all"
set dstaddr "all"
FortiOS 7.0.0 New Features Guide 370
Fortinet Inc.
Policy and Objects
set ztna-ems-tag <ZTNA tags>
set action accept
set schedule "always"
set logtraffic all
set groups <user group>
set utm-status enable
set ssl-ssh-profile <inspection profile>
next
end
The authentication rule and scheme defines the method used to authenticate users. With basic HTTP authentication, a
sign in prompt is shown after the client certificate prompt. After the authentication passes, the returned groups that the
user is a member of are checked against the user groups that are defined in the ZTNA rule. If a group matches, then the
user is allowed access after passing a posture check.
For more information, see ZTNA HTTPS access proxy with basic authentication example on page 386 and ZTNA proxy
access with SAML authentication example on page 395.
Establish device identity and trust context with FortiClient EMS
How device identity is established through client certificates, and how device trust context is established between
FortiClient, FortiClient EMS, and the FortiGate, are integral to ZTNA.
Device roles
FortiClient
FortiClient endpoints provide the following information to FortiClient EMS when they register to the EMS:
l Device information (network details, operating system, model, and others)
l Logged on user information
l Security posture (On-net/Off-net, antivirus software, vulnerability status, and others)
It also requests and obtains a client device certificate from the EMS ZTNA Certificate Authority (CA) on its first attempt to
connect to the access proxy. The client uses this certificate to identify itself to the FortiGate.
FortiOS 7.0.0 New Features Guide 371
Fortinet Inc.
Policy and Objects
FortiClient EMS
FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate serial number, and EMS serial
number. The certificate is then synchronized to the FortiGate. EMS also shares its EMS ZTNA CA certificate with the
FortiGate, so that the FortiGate can use it to authenticate the clients.
FortiClient EMS uses zero trust tagging rules to tag endpoints based on the information that it has on each endpoint. The
tags are also shared with the FortiGate.
FortiGate
The FortiGate maintains a continuous connection to the EMS server to synchronize endpoint device information,
including primarily:
l FortiClient UID
l Client certificate SN
l EMS SN
l Device credentials (user/domain)
l Network details (IP and MAC address and routing to the FortiGate)
When a device's information changes, such as when a client moves from on-net to off-net, or their security posture
changes, EMS is updated with the new device information and then updates the FortiGate. The FortiGate's WAD
daemon can use this information when processing ZTNA traffic.
Certificate management on FortiClient EMS
FortiClient EMS has a default_ZTNARootCA certificate generated by default that the ZTNA CA uses to sign CSRs from
the FortiClient endpoints. Clicking the refresh button revokes and updates the root CA, forcing updates to the FortiGate
and FortiClient endpoints by generating new certificates for each client.
FortiOS 7.0.0 New Features Guide 372
Fortinet Inc.
Policy and Objects
Do not confuse the EMS CA certificate (ZTNA) with the SSL certificate. The latter is the server
certificate that is used by EMS for HTTPS access and fabric connectivity to the EMS server.
EMS can also manage individual client certificates. To revoke the current client certificate that is used by the endpoint:
go to Endpoint > All Endpoints, select the client, and click Action > Revoke Client Certificate.
Locating and viewing the client certificate on an endpoint
In Windows, FortiClient automatically installs certificates into the certificate store. The certificate information in the store,
such as certificate UID and SN, should match the information on EMS and the FortiGate.
To locate certificates on other operating systems, consult the vendor documentation.
To locate the client certificate and EMS ZTNA CA certificate on a Windows PC:
1. In the Windows search box, enter user certificate and click Manage user certificates from the results.
2. In the certificate manager, go to Certificates - Current User > Personal > Certificates and find the certificate that is
issued by the FortiClient EMS.
FortiOS 7.0.0 New Features Guide 373
Fortinet Inc.
Policy and Objects
3. Right-click on it and select Properties.
4. The General tab shows the client certificate UID and the issue and expiry dates. The Details tab show the certificate
SN.
5. Go to the Certificate Path tab to see the full certificate chain.
6. Select the root CA and click View Certificate to view the details about the EMS ZTNA CA certificate.
Verifying that the client information is synchronized to the FortiGate
The following diagnose commands help to verify the presence of matching endpoint record, and information such as the
client UID, client certificate SN, and EMS certificate SN on the FortiGate. If any of the information is missing or
incomplete, client certificate authentication might fail because the corresponding endpoint entry is not found. More in-
depth diagnosis would be needed to determine the reason for the missing records.
FortiOS 7.0.0 New Features Guide 374
Fortinet Inc.
Policy and Objects
Command Description
# diagnose endpoint Show the endpoint record list. Optionally, filter by the endpoint IP address.
record list <ip>
# diagnose endpoint wad- Query endpoints by client UID.
comm find-by uid
<uid>
# diagnose endpoint wad- Query endpoints by the client IP-VDOM pair.
comm find-by ip-vdom
<ip> <vdom>
# diagnose wad dev query- Query from WAD diagnose command by UID.
by uid <uid>
# diagnose wad dev query- Query from WAD diagnose command by IP address.
by ipv4 <ip>
# diagnose test Check the FortiClient NAC daemon ZTNA and route cache.
application fcnacd 7
# diagnose test
application fcnacd 8
To check the endpoint record list for IP address 10.6.30.214:
# diagnose endpoint record list 10.6.30.214
Record #1:
IP Address = 10.6.30.214
MAC Address = 00:0c:29:ba:1e:61
MAC list = 00:0c:29:ba:1e:61;00:0c:29:ba:1e:6b;
VDOM = root (0)
EMS serial number: FCTEMS8821001322
Client cert SN: 17FF6595600A1AF53B87627AB4EBEDD032593E64
Quarantined: no
Online status: online
Registration status: registered
On-net status: on-net
Gateway Interface: port2
FortiClient version: 7.0.0
AVDB version: 84.778
FortiClient app signature version: 18.43
FortiClient vulnerability scan engine version: 2.30
FortiClient UID: 5FCFA3ECDE4D478C911D9232EC9299FD
…
Number of Routes: (1)
Gateway Route #0:
- IP:10.1.100.214, MAC: 00:0c:29:ba:1e:6b, Indirect: no
- Interface:port2, VFID:0, SN: FG5H1E5819902474
online records: 1; offline records: 0; quarantined records: 0
SSL certificate based authentication
A client certificate is obtained when an endpoint registers to EMS. FortiClient automatically submits a CSR request and
the FortiClient EMS signs and returns the client certificate. This certificate is stored in the operating system's certificate
store for subsequent connections. The endpoint information is synchronized between the FortiGate and FortiClient EMS.
FortiOS 7.0.0 New Features Guide 375
Fortinet Inc.
Policy and Objects
When an endpoint disconnects or is unregistered from EMS, its certificate is removed from the certificate store and
revoked on EMS. The endpoint obtains a certificate again when it reconnected the EMS.
By default, client certificate authentication is enabled on the access proxy, so when the HTTPS request is received the
FortiGate's WAD process challenges the client to identify itself with its certificate. The FortiGate makes a decision based
on the following possibilities:
1. If the client responds with the correct certificate that the client UID and certificate SN can be extracted from:
l If the client UID and certificate SN match the record on the FortiGate, the client is allowed to continue with the
ZTNA proxy rule processing.
l If the client UID and certificate SN do not match the record on the FortiGate, the client is blocked from further
ZTNA proxy rule processing.
2. If the client cancels and responds with an empty client certificate:
l If empty-cert-action is set to accept, the client is allowed to continue with ZTNA proxy rule processing.
l If empty-cert-action is set to block, the client is blocked from further ZTNA proxy rule processing.
To configure the client certificate actions:
config firewall access-proxy
edit <name>
set client-cert {enable | disable}
set empty-cert-action {accept | block}
next
end
Example
In this example, a client connects to qa.fortinet.com and is prompted for a client certificate.
l client-cert is set to enable, and empty-cert-action is set to block.
l The ZTNA server is configured, and a ZTNA rule is set to allow this client.
l The domain resolves to the FortiGate access proxy VIP.
Scenario 1:
When prompted for the client certificate, the client clicks OK and provides a valid certificate that is verified by the
FortiGate.
FortiOS 7.0.0 New Features Guide 376
Fortinet Inc.
Policy and Objects
Result:
The client passes SSL certificate authentication and is allowed to access the website.
Scenario 2:
When prompted for the client certificate, the client clicks Cancel, resulting in an empty certificate response to the access
proxy.
Result:
Because the certificate response is empty and empty-cert-action is set to block, the WAD daemon blocks the
connection.
Currently, the Microsoft Edge and Google Chrome browsers are supported by ZTNA.
ZTNA configuration examples
This section includes the following ZTNA configuration examples:
l ZTNA HTTPS access proxy example on page 377
l ZTNA HTTPS access proxy with basic authentication example on page 386
l ZTNA TCP forwarding access proxy example on page 392
l ZTNA proxy access with SAML authentication example on page 395
l ZTNA IP MAC filtering example on page 400
l ZTNA TCP forwarding access proxy without encryption example 7.0.1 on page 406
l ZTNA IPv6 examples 7.0.1 on page 410
l ZTNA SSH access proxy example 7.0.1 on page 416
ZTNA HTTPS access proxy example
In this example, an HTTPS access proxy is configured to demonstrate its function as a reverse proxy on behalf of the
web server it is protecting. It verifies user identity, device identity, and trust context, before granting access to the
protected source.
FortiOS 7.0.0 New Features Guide 377
Fortinet Inc.
Policy and Objects
This example shows access control that allows or denies traffic based on ZTNA tags. Traffic is allowed when the
FortiClient endpoint is tagged as Low risk, and denied when the endpoint is tagged with Malicious-File-Detected.
This example assumes that the FortiGate EMS fabric connector is already successfully connected.
To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust
Network Access.
To configure a Zero Trust tagging rule on the FortiClient EMS:
1. Log in to the FortiClient EMS.
2. Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add.
3. In the Name field, enter Malicious-File-Detected.
4. In the Tag Endpoint As dropdown list, select Malicious-File-Detected.
EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are
configured to use this tag.
5. Click Add Rule then configure the rule:
a. For OS, select Windows.
b. From the Rule Type dropdown list, select File and click the + button.
c. Enter a file name, such as C:\virus.txt.
d. Click Save.
6. Click Save.
To configure HTTPS access proxy VIP in the GUI:
1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Click Create New.
3. Set Name to WIN2K16-P1.
FortiOS 7.0.0 New Features Guide 378
Fortinet Inc.
Policy and Objects
4. Configure the network settings:
a. Set External interface to port1.
b. Set External IP to 192.168.2.86.
c. Set External port to 8443.
5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy
VIP.
6. Add server mapping:
a. In the Service/server mapping table, click Create New.
b. Set Virtual Host to Any Host.
c. Configure the path as needed. For example, to map to winserver.fgdocs.com/fortigate, enter /fortigate.
d. Add a server:
i. In the Servers table, click Create New.
ii. Set IP to 192.168.20.6.
iii. Set Port to 443.
iv. Click OK.
e. Click OK.
7. Click OK.
FortiOS 7.0.0 New Features Guide 379
Fortinet Inc.
Policy and Objects
To configure ZTNA rules to allow and deny traffic based on ZTNA tags in the GUI:
1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Create a rule to deny traffic:
a. Click Create New again to create another rule.
b. Set Name to ZTNA-Deny-malicious.
c. Add the ZTNA tag Malicious-File-Detected.
This tag is dynamically retrieved from EMS when you first created the Zero Trust Tagging Rule.
d. Select the ZTNA server WIN2K16-P1.
e. Set Action to DENY.
f. Enable Log Violation Traffic.
g. Click OK.
3. Create a rule to allow traffic:
a. Click Create New.
b. Set Name to proxy-WIN2K16-P1.
c. Add the ZTNA tag Low.
d. Select the ZTNA server WIN2K16-P1.
e. Configure the remaining options as needed.
f. Click OK.
4. On the ZTNA rules list, make sure that the deny rule (ZTNA-Deny-malicious) is above the allow rule (proxy-
WIN2K16-P1).
FortiOS 7.0.0 New Features Guide 380
Fortinet Inc.
Policy and Objects
To configure a firewall policy for full ZTNA in the GUI:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Set Name to ZTNA-P1.
3. Enable ZTNA and select Full ZTNA.
4. Set Incoming Interface to port1.
5. Set ZTNA Server to WIN2K16-P1.
6. Configure the remaining settings as needed.
UTM processing of the traffic happens at the ZTNA rule.
7. Click OK.
To configure HTTPS access in the CLI:
1. Configure the access proxy VIP:
config firewall vip
edit "WIN2K16-P1"
set type access-proxy
set extip 192.168.2.86
set extintf "port1"
set server-type https
set extport 8443
set ssl-certificate "Fortinet_SSL"
next
end
2. Configure the server and path mapping:
config firewall access-proxy
edit "WIN2K16-P1"
set vip "WIN2K16-P1"
set client-cert enable
config api-gateway
edit 1
set service https
config realservers
edit 1
set ip 192.168.20.6
set port 443
next
end
next
end
next
end
3. Configure ZTNA rules:
config firewall proxy-policy
edit 3
set name "ZTNA-Deny-malicious"
set proxy access-proxy
set access-proxy "WIN2K16-P1"
set srcaddr "all"
set dstaddr "all"
FortiOS 7.0.0 New Features Guide 381
Fortinet Inc.
Policy and Objects
set ztna-ems-tag "FCTEMS0000109188_Malicious-File-Detected"
set schedule "always"
set logtraffic all
next
edit 2
set name "proxy-WIN2K16-P1"
set proxy access-proxy
set access-proxy "WIN2K16-P1"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS0000109188_Low"
set action accept
set schedule "always"
set logtraffic all
next
end
4. Configure a firewall policy for full ZTNA:
config firewall policy
edit 24
set name "ZTNA-P1"
set srcintf "port1"
set dstintf "any"
set srcaddr "all"
set dstaddr "WIN2K16-P1"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end
Testing the remote access to the HTTPS access proxy
After FortiClient EMS and FortiGate are configured, the HTTPS access proxy remote connection can be tested.
Access allowed:
1. On the remote Windows PC, open FortiClient.
2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
3. Open a browser and enter the address of the server and the access port. When entering the FQDN, make sure that
the DNS can resolve the address to the IP address of the FortiGate. In this example, winserver.fgdocs.com resolves
to 192.168.2.86.
4. The browser prompts for the client certificate to use. Select the EMS signed certificate, then click OK.
FortiOS 7.0.0 New Features Guide 382
Fortinet Inc.
Policy and Objects
The certificate is in the User Configuration store, under Personal > Certificates. The details show the SN of the
certificate, which matches the record on the FortiClient EMS and the FortiGate.
5. The client is verified by the FortiGate to authenticate your identity.
6. The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding ZTNA
rule, and you are allowed access to the web server.
FortiOS 7.0.0 New Features Guide 383
Fortinet Inc.
Policy and Objects
Access denied:
1. On the remote Windows PC, trigger the Zero Trust Tagging Rule by creating the file in C:\virus.txt.
2. Open a browser and enter the address http://winserver.fgdocs.com:8443.
3. The client is verified by the FortiGate to authenticate your identity.
4. FortiGate checks your security posture. Because EMS has tagged the PC with the Malicious-File-Detected tag, it
matches the ZTNA-Deny-malicious rule.
5. You are denied access to the web server.
Logs and debugs
Access allowed:
# diagnose endpoint record list
Record #1:
IP Address = 10.10.10.20
MAC Address = 9c:b7:0d:2d:5c:d1
MAC list = 24:b6:fd:fa:54:c1;06:15:cd:45:f1:2e;9c:b7:0d:2d:5c:d1;
VDOM = (-1)
EMS serial number: FCTEMS0000109188
Client cert SN: 6A9DCC318F36E82079D5C631EB589A8025DA8E80
Public IP address: 192.157.105.35
Quarantined: no
Online status: online
Registration status: registered
On-net status: on-net
Gateway Interface:
FortiClient version: 7.0.0
AVDB version: 0.0
FortiClient app signature version: 0.0
FortiClient vulnerability scan engine version: 2.30
FortiClient UID: F4F3263AEBE54777A6509A8FCCDF9284
Host Name: Fortinet-KeithL
OS Type: WIN64
….
Number of Routes: (0)
online records: 1; offline records: 0; quarantined records: 0
# diagnose test application fcnacd 7
ZTNA Cache:
-uid F4F3263AEBE54777A6509A8FCCDF9284: { "tags": [ "all_registered_clients", "Low" ], "user_
name": "keithli", "client_cert_sn": "6A9DCC318F36E82079D5C631EB589A8025DA8E80", "ems_sn":
"FCTEMS0000109188" }
FortiOS 7.0.0 New Features Guide 384
Fortinet Inc.
Policy and Objects
# diagnose endpoint wad-comm find-by uid F4F3263AEBE54777A6509A8FCCDF9284
UID: F4F3263AEBE54777A6509A8FCCDF9284
status code:ok
Domain:
User: keithli
Cert SN:6A9DCC318F36E82079D5C631EB589A8025DA8E80
EMS SN: FCTEMS0000109188
Routes(0):
Tags(2):
- tag[0]: name=all_registered_clients
- tag[1]: name=Low
# execute log display
1: date=2021-03-28 time=00:46:39 eventtime=1616917599923614599 tz="-0700" logid="0000000010"
type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.20 srcport=60185
srcintf="port1" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved"
dstip=192.168.20.6 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=29515
srcuuid="2d8e1736-8ec6-51eb-885c-009bdf9c31d7" dstuuid="5445be2e-5d7b-51ea-e2c3-
ae6b7855c52f" service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" policyid=2
policytype="proxy-policy" poluuid="5aba29de-8ec6-51eb-698f-25b59d5bf852" duration=6
wanin=104573 rcvdbyte=104573 wanout=2274 lanin=3370 sentbyte=3370 lanout=104445
srchwvendor="Fortinet" devtype="Network" srcfamily="Firewall" osname="Windows"
srchwversion="FortiWiFi-30E" appcat="unscanned"
Access denied:
# diagnose test application fcnacd 7
ZTNA Cache:
-uid F4F3263AEBE54777A6509A8FCCDF9284: { "user_name": "keithli", "client_cert_sn":
"6A9DCC318F36E82079D5C631EB589A8025DA8E80", "ems_sn": "FCTEMS0000109188", "tags": [
"Malicious-File-Detected", "all_registered_clients", "Low" ] }
# diagnose endpoint wad-comm find-by uid F4F3263AEBE54777A6509A8FCCDF9284
UID: F4F3263AEBE54777A6509A8FCCDF9284
status code:ok
Domain:
User: keithli
Cert SN:6A9DCC318F36E82079D5C631EB589A8025DA8E80
EMS SN: FCTEMS0000109188
Routes(0):
Tags(3):
- tag[0]: name=Malicious-File-Detected
- tag[1]: name=all_registered_clients
- tag[2]: name=Low
# execute log display
1: date=2021-03-28 time=01:21:55 eventtime=1616919715444980633 tz="-0700" logid="0000000013"
type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.20 srcport=60784
srcintf="port1" srcintfrole="wan" dstip=192.168.20.6 dstport=443 dstintf="root"
dstintfrole="undefined" srcuuid="2d8e1736-8ec6-51eb-885c-009bdf9c31d7" dstuuid="5445be2e-
5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=33933
proto=6 action="deny" policyid=3 policytype="proxy-policy" poluuid="762ca074-8f9e-51eb-7614-
03a8801c6477" service="HTTPS" trandisp="noop" url="https://winserver.fgdocs.com/"
agent="Chrome/89.0.4389.90" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0
appcat="unscanned" crscore=30 craction=131072 crlevel="high" msg="Traffic denied because of
explicit proxy policy"
FortiOS 7.0.0 New Features Guide 385
Fortinet Inc.
Policy and Objects
ZTNA HTTPS access proxy with basic authentication example
This example expands on the previous example (ZTNA HTTPS access proxy example on page 377), adding LDAP
authentication to the ZTNA rule. Users are allowed based on passing the client certificate authentication check, user
authentication, and security posture check.
Users that are in the AD security group ALLOWED-VPN are allowed access to the access proxy. Users that are not part
of this security group are not allowed access.
This example assumes that the FortiGate EMS fabric connector is already successfully connected.
LDAP/Active Directory Users and Groups:
l Domain: KLHOME.local
l Users (Groups):
l radCurtis (Domain Users, ALLOWED-VPN)
l radKeith (Domain Users)
To configure a secure connection to the LDAP server in the GUI:
1. Go to User & Authentication > LDAP Servers and click Create New.
2. Configure the following settings:
Name WIN2K16-KLHOME-LDAPS
Server IP/Name 192.168.20.6
Server Port 636
Common Name Identifier sAMAccountName
Distinguished Name dc=KLHOME,dc=local
Exchange server Disabled
Bind Type Regular
Enter the Username and Password for LDAP binding and lookup.
Secure Connection Enabled
l Set Protocol to LDAPS
l Enable Certificate and select the CA certificate to validate the server
certificate.
FortiOS 7.0.0 New Features Guide 386
Fortinet Inc.
Policy and Objects
Server identity check Optionally, enable to verify the domain name or IP address against the server
certificate.
3. Click Test Connectivity to verify the connection to the server.
4. Click OK.
To configure a secure connection to the LDAP server in the CLI:
config user ldap
edit "WIN2K16-KLHOME-LDAPS"
set server "192.168.20.6"
set cnid "sAMAccountName"
set dn "dc=KLHOME,dc=local"
set type regular
set username "KLHOME\\Administrator"
set password <password>
set secure ldaps
set ca-cert "CA_Cert_1"
set port 636
next
end
To configure a remote user group from the LDAP server in the GUI:
1. Go to User & Authentication > User Groups and click Create New.
2. Set the name to KLHOME-ALLOWED-VPN.
3. Set Type to Firewall.
4. In the Remote Groups table click Add:
a. Set Remote Server to WIN2K16-KLHOME-LDAPS.
b. Locate the ALLOWED-VPN group, right-click on it, and click Add Selected.
c. Click OK.
FortiOS 7.0.0 New Features Guide 387
Fortinet Inc.
Policy and Objects
5. Click OK.
To configure a remote user group from the LDAP server in the CLI:
config user group
edit "KLHOME-ALLOWED-VPN"
set member "WIN2K16-KLHOME-LDAPS"
config match
edit 1
set server-name "WIN2K16-KLHOME-LDAPS"
set group-name "CN=ALLOWED-VPN,DC=KLHOME,DC=local"
next
end
next
end
Authentication scheme and rules
After the LDAP server and user group have been configured, an authentication scheme and rule must be configured.
To configure authentication schemes and rules in the GUI, go to System > Feature Visibility
and enable Explicit Proxy.
Authentication scheme
The authentication scheme defines the method of authentication that is applied. In this example, basic HTTP
authentication is used so that users are prompted for a username and password the first time that they connect to a
website through the HTTPS access proxy.
To configure an authentication scheme in the GUI:
1. Go to Policy & Objects > Authentication Rules and click Create New > Authentication Scheme.
2. Set the name to ZTNA-Auth-scheme.
3. Set Method to Basic.
4. Set User database to Other and select WIN2K16-KLHOME-LDAPS as the LDAP server.
5. Click OK.
FortiOS 7.0.0 New Features Guide 388
Fortinet Inc.
Policy and Objects
To configure an authentication scheme in the CLI:
config authentication scheme
edit "ZTNA-Auth-scheme"
set method basic
set user-database "WIN2K16-KLHOME-LDAPS"
next
end
Authentication rule
The authentication rule defines the proxy sources and destination that require authentication, and what authentication
scheme is applied. In this example, active authentication through the basic HTTP prompt is used and applied to all
sources.
To configure an authentication rule in the GUI:
1. Go to Policy & Objects > Authentication Rules and click Create New > Authentication Rule.
2. Set the name to ZTNA-Auth-rule.
3. Set Source Address to all.
4. Set Protocol to HTTP.
5. Enable Authentication Scheme and select ZTNA-Auth-scheme.
6. Click OK.
To configure an authentication rule in the CLI:
config authentication rule
edit "ZTNA-Auth-rule"
set srcaddr "all"
set active-auth-method "ZTNA-Auth-scheme"
next
end
Applying the user group to a ZTNA rule
A user or user group must be applied to the ZTNA rule that you need to control user access to. The authenticated user
from the authentication scheme and rule must match the user or user group in the ZTNA rule.
In this example, the user group is applied to the two ZTNA rules that were configured in ZTNA HTTPS access proxy
example on page 377.
To apply a user group to the ZTNA rules in the GUI:
1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Edit the ZTNA-Deny-malicious rule.
3. Click in the Source field, select the User tab, select the KLHOME-ALLOWED-VPN group, then click Close.
4. Click OK.
5. Edit the proxy-WIN2K16-P1 rule.
6. Click in the Source field, select the User tab, select the KLHOME-ALLOWED-VPN group, then click Close.
7. Click OK.
FortiOS 7.0.0 New Features Guide 389
Fortinet Inc.
Policy and Objects
To apply a user group to the ZTNA rules in the CLI:
config firewall proxy-policy
edit 3
set name "ZTNA-Deny-malicious"
set proxy access-proxy
set access-proxy "WIN2K16-P1"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS0000109188_Malicious-File-Detected"
set schedule "always"
set logtraffic all
set groups "KLHOME-ALLOWED-VPN"
next
edit 2
set name "proxy-WIN2K16-P1"
set proxy access-proxy
set access-proxy "WIN2K16-P1"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS0000109188_Low"
set action accept
set schedule "always"
set logtraffic all
set groups "KLHOME-ALLOWED-VPN"
next
end
Testing remote access to the HTTPS access proxy with user authentication
Scenario 1: access allowed - user radCurtis
1. On a remote Windows PC, open the FortiClient app, select the Zero Trust Telemetry tab, and confirm that you are
connected to the EMS server.
2. In a browser, enter the address of the server and the access port.
If entering an FQDN, make sure that DNS can resolve the address to the IP address of the FortiGate. In this
example, winserver.fgdocs.com resolves to 192.168.2.86.
3. When the browser asks for the client certificate to use, select the EMS signed certificate, then click OK.
The client certificate is verified by the FortiGate to authenticate your identity.
4. When prompted, enter the username radCurtis and the password, and click Sign in.
As radCurtis is a member of the ALLOWED-VPN group in Active Directory, it will match the KLHOME-ALLOWED-
VPN user group. After the user authentication passes, the FortiGate performs a posture check on the ZTNA group.
When that passes, you are allowed access to the website.
Verifying the results
# diagnose firewall auth list
10.10.10.20, radCurtis
type: fw, id: 0, duration: 13, idled: 13
expire: 587, allow-idle: 600
packets: in 0 out 0, bytes: in 0 out 0
FortiOS 7.0.0 New Features Guide 390
Fortinet Inc.
Policy and Objects
group_id: 8 16777220
group_name: KLHOME-ALLOWED-VPN grp_16777220
# diagnose test application fcnacd 7
ZTNA Cache:
-uid F4F3263AEBE54777A6509A8FCCDF9284: { "tags": [ "all_registered_clients", "Low" ], "user_
name": "keith", "client_cert_sn": "6C7433E8E2CEDEB49B6C3C3C03677A3521EA4486", "ems_sn":
"FCTEMS0000109188" }
The user_name is the windows log in username learned by FortiClient. It might not match the
username used in firewall user authentication.
# execute log display
1: date=2021-04-13 time=00:11:56 eventtime=1618297916023667886 tz="-0700" logid="0000000010"
type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.20 srcport=51513
srcintf="port1" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved"
dstip=192.168.20.6 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=2319197
srcuuid="2d8e1736-8ec6-51eb-885c-009bdf9c31d7" dstuuid="5445be2e-5d7b-51ea-e2c3-
ae6b7855c52f" service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" policyid=2
policytype="proxy-policy" poluuid="5aba29de-8ec6-51eb-698f-25b59d5bf852" duration=10
user="radCurtis" group="KLHOME-ALLOWED-VPN" authserver="WIN2K16-KLHOME-LDAPS" wanin=104573
rcvdbyte=104573 wanout=2364 lanin=3538 sentbyte=3538 lanout=104445 appcat="unscanned"
Scenario 2: access denied – user radKeith
1. If scenario 1 has just been tested, log in to the FortiGate and deauthenticate the user:
a. Go to Dashboard > Users & Devices and expand the Firewall Users widget.
b. Right-click on the user radCurtis and select deauthenticate.
2. On a remote Windows PC, open the FortiClient app, select the Zero Trust Telemetry tab, and confirm that you are
connected to the EMS server.
3. In a browser, enter the address winserver.fgdocs.com.
4. When the browser asks for the client certificate to use, select the EMS signed certificate, then click OK. This option
might not appear if you have already selected the certificate when testing scenario 1.
The client certificate is verified by the FortiGate to authenticate your identity.
5. When prompted, enter the username radKeith and the password, and click Sign in.
As radKeith is not a member of the ALLOWED-VPN group in Active Directory, it will not match the KLHOME-
ALLOWED-VPN user group. Because no other policies are matched, this user is implicitly denied
Verifying the results
Go to Dashboard > Users & Devices, expand the Firewall Users widget, and confirm that user radKeith is listed, but no
applicable user group is returned.
# execute log display
1: date=2021-04-13 time=12:29:21 eventtime=1618342161821542277 tz="-0700" logid="0000000013"
type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.20 srcport=52571
srcintf="port1" srcintfrole="wan" dstip=192.168.20.6 dstport=443 dstintf="root"
dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved"
FortiOS 7.0.0 New Features Guide 391
Fortinet Inc.
Policy and Objects
dstcountry="Reserved" sessionid=2394329 proto=6 action="deny" policyid=0 policytype="proxy-
policy" user="radKeith" authserver="WIN2K16-KLHOME-LDAPS" service="HTTPS" trandisp="noop"
url="https://winserver.fgdocs.com/" agent="Chrome/89.0.4389.114" duration=0 sentbyte=0
rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
msg="Traffic denied because of explicit proxy policy"
ZTNA TCP forwarding access proxy example
In this example, a TCP forwarding access proxy (TFAP) is configured to demonstrate an HTTPS reverse proxy that
forwards TCP traffic to the designated resource. The access proxy tunnels TCP traffic between the client and the
FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It verifies user identity, device identity,
and trust context, before granting access to the protected source.
RDP access is configured to one server, and SSH access to the other.
This example assumes that the FortiGate EMS fabric connector is already successfully connected.
To configure the access proxy VIP:
config firewall vip
edit "ZTNA-tcp-server"
set type access-proxy
set extip 10.0.3.11
set extintf "port3"
set server-type https
set extport 8443
set ssl-certificate "Fortinet_SSL"
next
end
To configure the server addresses:
config firewall address
edit "FAZ"
set subnet 10.88.0.2 255.255.255.255
next
edit "winserver"
set subnet 10.88.0.1 255.255.255.255
FortiOS 7.0.0 New Features Guide 392
Fortinet Inc.
Policy and Objects
next
end
To configure access proxy server mappings:
config firewall access-proxy
edit "ZTNA-tcp-server"
set vip "ZTNA-tcp-server"
set client-cert enable
config api-gateway
edit 1
set service tcp-forwarding
config realservers
edit 1
set address "FAZ"
set mappedport 22
next
edit 2
set address "winserver"
set mappedport 3389
next
end
next
end
next
end
The mapped port (mappedport) restricts the mapping to the specified port or port range. If mappedport is not
specified, then any port will be matched.
To configure a ZTNA rule (proxy policy):
config firewall proxy-policy
edit 0
set name "ZTNA_remote"
set proxy access-proxy
set access-proxy "ZTNA-tcp-server"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
next
end
To configure a firewall policy for full ZTNA:
config firewall policy
edit 1
set name "Full_ZTNA_policy"
set srcintf "port3"
set dstintf "any"
set srcaddr "all"
set dstaddr "ZTNA-tcp-server"
set action accept
FortiOS 7.0.0 New Features Guide 393
Fortinet Inc.
Policy and Objects
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
next
end
Test the connection to the access proxy
Before connecting, users must create a ZTNA rule in FortiClient.
To create a ZTNA rule in FortiClient:
1. On the ZTNA Connection Rules tab, click Add Rule.
2. Set Rule Name to SSH-FAZ.
3. Set Destination Host to 10.88.0.2:22. This is the real IP address and port of the server.
4. Set Proxy Gateway to 10.0.3.11:8443. This is the access proxy address and port that are configured on the
FortiGate.
5. Click Create.
6. Create a second rule with the following settings:
l Rule Name: RDP_winserver
l Destination Host: 10.88.0.1:3389
FortiOS 7.0.0 New Features Guide 394
Fortinet Inc.
Policy and Objects
l Proxy Gateway: 10.0.3.11:8443
After creating the ZTNA connection rules, you can SSH and RDP directly to the server IP address and port.
Logs
RDP:
1: date=2021-03-24 time=23:42:35 eventtime=1616654555724552835 tz="-0700" logid="0000000010"
type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.3.2 srcport=50284
srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved"
dstip=10.88.0.1 dstport=3389 dstintf="root" dstintfrole="undefined" sessionid=109099
service="RDP" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3
policytype="proxy-policy" poluuid="fe0e1ae8-bdf9-51eb-b86f-c5e2adb934b3" duration=13
wanin=1751 rcvdbyte=1751 wanout=1240 lanin=3034 sentbyte=3034 lanout=3929 appcat="unscanned"
SSH:
1: date=2021-03-24 time=23:44:13 eventtime=1616654653388681007 tz="-0700" logid="0000000010"
type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.3.2 srcport=50282
srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved"
dstip=10.88.0.2 dstport=22 dstintf="root" dstintfrole="undefined" sessionid=109027
service="SSH" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3
policytype="proxy-policy" poluuid="fe0e1ae8-bdf9-51eb-b86f-c5e2adb934b3" duration=134
wanin=5457 rcvdbyte=5457 wanout=2444 lanin=4478 sentbyte=4478 lanout=7943 appcat="unscanned"
ZTNA proxy access with SAML authentication example
In this example, an HTTPS access proxy is configured, and SAML authentication is applied to authenticate the client.
The FortiGate acts as the SAML SP and a SAML authenticator serves as the IdP. In addition to verifying the user and
FortiOS 7.0.0 New Features Guide 395
Fortinet Inc.
Policy and Objects
device identity with the client certificate, the user is also authorized based on user credentials to establish a trust context
before granting access to the protected resource.
This example assumes that the FortiGate EMS fabric connector is already successfully connected.
To configure the access proxy VIP:
config firewall vip
edit "ZTNA_server01"
set type access-proxy
set extip 172.18.62.32
set extintf "any"
set server-type https
set extport 7831
set ssl-certificate "Fortinet_CA_SSL"
next
end
To configure access proxy server mappings:
config firewall access-proxy
edit "ZTNA_server01"
set vip "ZTNA_server01"
set client-cert enable
config api-gateway
edit 1
set service https
config realservers
edit 1
set ip 172.18.62.25
set port 443
next
end
next
end
next
end
FortiOS 7.0.0 New Features Guide 396
Fortinet Inc.
Policy and Objects
To configure a firewall policy for full ZTNA:
config firewall policy
edit 2
set name "Full_ZTNA_policy"
set srcintf "port10"
set dstintf "any"
set srcaddr "all"
set dstaddr "ZTNA_server01"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set nat enable
next
end
To configure a SAML server:
config user saml
edit "saml_ztna"
set cert "Fortinet_CA_SSL"
set entity-id "https://fgt9.myqalab.local:7831/samlap"
set single-sign-on-url "https://fgt9.myqalab.local:7831/XX/YY/ZZ/saml/login/"
set single-logout-url "https://fgt9.myqalab.local:7831/XX/YY/ZZ/saml/logout/"
set idp-entity-id "http://MYQALAB.LOCAL/adfs/services/trust"
set idp-single-sign-on-url "https://myqalab.local/adfs/ls"
set idp-single-logout-url "https://myqalab.local/adfs/ls"
set idp-cert "REMOTE_Cert_4"
set digest-method sha256
set adfs-claim enable
set user-claim-type upn
set group-claim-type group-sid
next
end
To map the SAML server into an access proxy configuration:
config firewall access-proxy
edit "ZTNA_server01"
config api-gateway
edit 3
set service samlsp
set saml-server "saml_ztna"
next
end
next
end
To configure an LDAP server and an LDAP server group to verify user groups:
config user ldap
edit "ldap-10.1.100.198"
set server "10.1.100.198"
set cnid "cn"
FortiOS 7.0.0 New Features Guide 397
Fortinet Inc.
Policy and Objects
set dn "dc=myqalab,dc=local"
set type regular
set username "cn=fosqa1,cn=users,dc=myqalab,dc=local"
set password **********
set group-search-base "dc=myqalab,dc=local"
next
end
config user group
edit "ldap-group-saml"
set member "ldap-10.1.100.198"
next
end
To configure the authentication settings, rule, and scheme to match the new SAML server:
config authentication setting
set active-auth-scheme "saml_ztna"
set captive-portal "fgt9.myqalab.local"
end
config authentication rule
edit "saml_ztna"
set srcintf "port10"
set srcaddr "all"
set ip-based disable
set active-auth-method "saml_ztna"
set web-auth-cookie enable
next
end
config authentication scheme
edit "saml_ztna"
set method saml
set saml-server "saml_ztna"
set saml-timeout 30
set user-database "ldap-10.1.100.198"
next
end
To enable user group authentication in an access-proxy type firewall proxy-policy:
config firewall proxy-policy
edit 6
set name "ZTNA_remote"
set proxy access-proxy
set access-proxy "ZTNA_server01"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set groups "ldap-group-saml"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
next
end
FortiOS 7.0.0 New Features Guide 398
Fortinet Inc.
Policy and Objects
Testing the connection
To test the connection:
1. On a client PC, try to access the webpage through the HTTPS access proxy. For example, go to
http://172.18.62.32:7831 in a browser.
2. The client PC is prompted for a client certificate. After the certificate is validated, you are redirected to a SAML log in
portal.
3. Enter your user credentials. The SAML server authenticates and sends a SAML assertion response message to the
FortiGate.
4. The FortiGate queries the LDAP server for the user group, and then verifies the user group against the groups or
groups defined in the proxy policy.
5. The user is proxied to the webpage on the real web server.
Logs and debugs
Use the following command to check the user information after the user has been authenticated:
# diagnose wad user list
ID: 7, VDOM: vdom1, IPv4: 10.1.100.143
user name : [email protected]
worker : 0
duration : 124
auth_type : Session
auth_method : SAML
pol_id : 6
g_id : 13
user_based : 0
expire : no
LAN:
bytes_in=25953 bytes_out=14158
WAN:
bytes_in=8828 bytes_out=6830
FortiOS 7.0.0 New Features Guide 399
Fortinet Inc.
Policy and Objects
Event log:
1: date=2021-03-24 time=19:02:21 eventtime=1616637742066893182 tz="-0700" logid="0102043025"
type="event" subtype="user" level="notice" vd="vdom1" logdesc="Explicit proxy authentication
successful" srcip=10.1.100.143 dstip=172.18.62.32 authid="saml" user="[email protected]"
group="N/A" authproto="HTTP(10.1.100.143)" action="authentication" status="success"
reason="Authentication succeeded" msg="User [email protected] succeeded in authentication"
Traffic log:
1: date=2021-03-24 time=19:09:06 eventtime=1616638146541253587 tz="-0700" logid="0000000010"
type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.143 srcport=58084
srcintf="port10" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved"
dstip=172.18.62.25 dstport=443 dstintf="vdom1" dstintfrole="undefined" sessionid=8028
service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" policyid=6
policytype="proxy-policy" poluuid="8dcfe762-8d0b-51eb-82bf-bfbee59b89f2" duration=8
user="[email protected]" group="ldap-group-saml" authserver="ldap-10.1.100.198"
wanin=10268 rcvdbyte=10268 wanout=6723 lanin=7873 sentbyte=7873 lanout=10555
appcat="unscanned"
ZTNA IP MAC filtering example
In this example, firewall policies in ZTNA IP/MAC filtering mode are configured that use ZTNA tags to control access
between on-net devices and an internal web server. This mode does not require the use of the access proxy, and only
uses ZTNA tags for access control. Traffic is passed when the FortiClient endpoint is tagged as Low risk only. Traffic is
denied when the FortiClient endpoint is tagged with Malicious-File-Detected.
This example assumes that the FortiGate EMS fabric connector is already successfully connected.
To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust
Network Access.
FortiOS 7.0.0 New Features Guide 400
Fortinet Inc.
Policy and Objects
To configure a Zero Trust tagging rule on the FortiClient EMS:
1. Log in to the FortiClient EMS.
2. Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add.
3. In the Name field, enter Malicious-File-Detected.
4. In the Tag Endpoint As dropdown list, select Malicious-File-Detected.
EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are
configured to use this tag.
5. Click Add Rule then configure the rule:
a. For OS, select Windows.
b. From the Rule Type dropdown list, select File and click the + button.
c. Enter a file name, such as C:\virus.txt.
d. Click Save.
6. Click Save.
To configure a firewall policy in ZTNA IP/MAC filtering mode to block access in the GUI:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Set Name to block-internal-malicious-access.
3. Enable ZTNA and select IP/MAC filtering.
4. Set ZTNA Tag to Malicious-File-Detected.
5. Set Incoming Interface to default.35.
6. Set Outgoing Interface to port3.
7. Set Source and Destination to all.
8. Set Service to ALL.
9. Set Action to DENY.
10. Enable Log Violation Traffic.
11. Configuring the remaining settings as needed.
12. Click OK.
To configure a firewall policy in ZTNA IP/MAC filtering mode to allow access in the GUI:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Set Name to allow-internal-access.
3. Enable ZTNA and select IP/MAC filtering.
FortiOS 7.0.0 New Features Guide 401
Fortinet Inc.
Policy and Objects
4. Set ZTNA Tag to Low.
5. Set Incoming Interface to default.35.
6. Set Outgoing Interface to port3.
7. Set Source and Destination to all.
8. Set Service to ALL.
9. Set Action to ACCEPT.
10. Enable Log Violation Traffic and set it to All Sessions.
11. Configuring the remaining settings as needed.
12. Click OK.
To configure a firewall policies in ZTNA IP/MAC filtering mode to block and allow access in the CLI:
config firewall policy
edit 29
set name "block-internal-malicious-access"
set srcintf "default.35"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set ztna-status enable
set ztna-ems-tag "FCTEMS0000109188_Malicious-File-Detected"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 30
set name "allow-internal-access"
set srcintf "default.35"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set ztna-status enable
set ztna-ems-tag "FCTEMS0000109188_Low"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end
Testing the access to the web server from the on-net client endpoint
Access allowed:
1. On the remote Windows PC, open FortiClient.
2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
3. Open a browser and enter the address of the server.
4. The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding allow-
FortiOS 7.0.0 New Features Guide 402
Fortinet Inc.
Policy and Objects
internal-access firewall policy, and you are allowed access to the web server.
Access denied:
1. On the remote Windows PC, trigger the Zero Trust Tagging Rule by creating the file in C:\virus.txt.
2. Open a browser and enter the address of the server.
3. FortiGate checks your security posture. Because EMS has tagged the PC with the Malicious-File-Detected tag, it
matches the block-internal-malicious-access firewall policy.
4. You are denied access to the web server.
Logs and debugs
Access allowed:
# diagnose endpoint record list
Record #1:
IP Address = 192.168.40.8
MAC Address = 24:b6:fd:fa:54:c1
MAC list = 24:b6:fd:fa:54:c1;54:15:cd:3f:f8:30;9c:b7:0d:2d:5c:d1;
VDOM = root (0)
EMS serial number: FCTEMS0000109188
Client cert SN: 563DA313367608678A3633E93C574F6F8BCB4A95
Public IP address: 192.157.105.35
Quarantined: no
Online status: online
FortiOS 7.0.0 New Features Guide 403
Fortinet Inc.
Policy and Objects
Registration status: registered
On-net status: on-net
Gateway Interface: default.35
FortiClient version: 7.0.0
AVDB version: 0.0
FortiClient app signature version: 0.0
FortiClient vulnerability scan engine version: 2.30
FortiClient UID: F4F3263AEBE54777A6509A8FCCDF9284
….
Number of Routes: (1)
Gateway Route #0:
- IP:192.168.40.8, MAC: 24:b6:fd:fa:54:c1, Indirect: no
- Interface:default.35, VFID:0, SN: FGVM04TM21000144
online records: 1; offline records: 0; quarantined records: 0
# diagnose endpoint wad-comm find-by ip-vdom 192.168.40.8 root
UID: F4F3263AEBE54777A6509A8FCCDF9284
status code:ok
Domain:
User: keithli
Cert SN:563DA313367608678A3633E93C574F6F8BCB4A95
EMS SN: FCTEMS0000109188
Routes(1):
- route[0]: IP=192.168.40.8, VDom=root
Tags(2):
- tag[0]: name=all_registered_clients
- tag[1]: name=Low
# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0000109188_all_registered_clients: ID(51)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Low: ID(78)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Malicious-File-Detected: ID(190)
…
# diagnose test application fcnacd 7
ZTNA Cache:
-uid F4F3263AEBE54777A6509A8FCCDF9284: { "tags": [ "all_registered_clients", "Low" ], "user_
name": "keithli", "client_cert_sn": "563DA313367608678A3633E93C574F6F8BCB4A95", "gateway_
route_list": [ { "gateway_info": { "fgt_sn": "FGVM04TM21000144", "interface": "default.35",
"vdom": "root" }, "route_info": [ { "ip": "192.168.40.8", "mac": "24-b6-fd-fa-54-c1",
"route_type": "direct" } ] } ], "ems_sn": "FCTEMS0000109188" }
# execute log display
49 logs found.
10 logs returned.
3.5% of logs has been searched.
38: date=2021-03-28 time=23:07:38 eventtime=1616998058790134389 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=192.168.40.8 srcname="Fortinet-KeithL" srcport=51056 srcintf="default.35"
FortiOS 7.0.0 New Features Guide 404
Fortinet Inc.
Policy and Objects
srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3"
dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-
5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=161585
proto=6 action="close" policyid=30 policytype="policy" poluuid="8f6ea492-9034-51eb-f197-
c00d803b7489" policyname="allow-internal-access" service="HTTPS" trandisp="snat"
transip=192.168.20.5 transport=51056 duration=2 sentbyte=3374 rcvdbyte=107732 sentpkt=50
rcvdpkt=80 fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli"
unauthusersource="forticlient" appcat="unscanned" mastersrcmac="24:b6:fd:fa:54:c1"
srcmac="24:b6:fd:fa:54:c1" srcserver=0 dstosname="Windows" dstswversion="10"
masterdstmac="52:54:00:e3:4c:1a" dstmac="52:54:00:e3:4c:1a" dstserver=0
Access denied:
# diagnose endpoint wad-comm find-by ip-vdom 192.168.40.8 root
UID: F4F3263AEBE54777A6509A8FCCDF9284
status code:ok
Domain:
User: keithli
Cert SN:563DA313367608678A3633E93C574F6F8BCB4A95
EMS SN: FCTEMS0000109188
Routes(1):
- route[0]: IP=192.168.40.8, VDom=root
Tags(3):
- tag[0]: name=Malicious-File-Detected
- tag[1]: name=all_registered_clients
- tag[2]: name=Low
# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0000109188_all_registered_clients: ID(51)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Low: ID(78)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Malicious-File-Detected: ID(190)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
# diagnose test application fcnacd 7
ZTNA Cache:
-uid F4F3263AEBE54777A6509A8FCCDF9284: { "user_name": "keithli", "client_cert_sn":
"563DA313367608678A3633E93C574F6F8BCB4A95", "gateway_route_list": [ { "gateway_info": {
"fgt_sn": "FGVM04TM21000144", "interface": "default.35", "vdom": "root" }, "route_info": [ {
"ip": "192.168.40.8", "mac": "24-b6-fd-fa-54-c1", "route_type": "direct" } ] } ], "ems_sn":
"FCTEMS0000109188", "tags": [ "Malicious-File-Detected", "all_registered_clients", "Low" ] }
# execute log display
49 logs found.
10 logs returned.
3.5% of logs has been searched.
11: date=2021-03-28 time=23:14:41 eventtime=1616998481409744928 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
FortiOS 7.0.0 New Features Guide 405
Fortinet Inc.
Policy and Objects
srcip=192.168.40.8 srcname="Fortinet-KeithL" srcport=51140 srcintf="default.35"
srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3"
dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-
5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=162808
proto=6 action="deny" policyid=29 policytype="policy" poluuid="2835666c-9034-51eb-135d-
2f56e5f0f7a2" policyname="block-internal-malicious-access" service="HTTPS" trandisp="noop"
duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 fctuid="F4F3263AEBE54777A6509A8FCCDF9284"
unauthuser="keithli" unauthusersource="forticlient" appcat="unscanned" crscore=30
craction=131072 crlevel="high" mastersrcmac="24:b6:fd:fa:54:c1" srcmac="24:b6:fd:fa:54:c1"
srcserver=0
ZTNA TCP forwarding access proxy without encryption example - 7.0.1
TCP forwarding access proxy supports communication between the client and the access proxy without SSL/TLS
encryption. The connection still begins with a TLS handshake. The client uses the HTTP 101 response to switch
protocols and remove the HTTPS stack. Further end to end communication between the client and server are
encapsulated in the specified TCP port, but not encrypted by the access proxy. This improves performance by reducing
the overhead of encrypting an already secured underlying protocol, such as RDP, SSH, or FTPS. Users should still
enable the encryption option for end to end protocols that are insecure.
In this example, the encryption option to access the web server on HTTP/8080 is disabled to show that traffic for an
insecure connection protocol can be viewed in plain text in a protocol analyzer (such as Wireshark). In a real life
application, the encryption option should be used for an insecure protocol.
To configure the access proxy VIP:
config firewall vip
edit "ZTNA-tcp-server"
set type access-proxy
set extip 10.0.3.11
set extintf "port3"
set server-type https
set extport 443
set ssl-certificate "Fortinet_SSL"
next
end
FortiOS 7.0.0 New Features Guide 406
Fortinet Inc.
Policy and Objects
To configure the server addresses:
config firewall address
edit "winserver"
set subnet 10.88.0.1 255.255.255.255
next
end
To configure access proxy server mappings:
config firewall access-proxy
edit "ZTNA-tcp-server"
set vip "ZTNA-tcp-server"
set client-cert enable
config api-gateway
edit 1
set service tcp-forwarding
config realservers
edit 2
set address "winserver"
next
end
next
end
next
end
The mapped port (mappedport) is not specified so that it will map any ports that are defined in FortiClient’s ZTNA
connection rule.
To configure a ZTNA rule (proxy policy):
config firewall proxy-policy
edit 0
set name "ZTNA-TCP"
set proxy access-proxy
set access-proxy "ZTNA-tcp-server"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set logtraffic all
next
end
To configure a firewall policy for full ZTNA:
config firewall policy
edit 0
set name "ZTNA-TCP"
set srcintf "port3"
set dstintf "any"
set srcaddr "all"
set dstaddr "ZTNA-tcp-server"
set action accept
set schedule "always"
FortiOS 7.0.0 New Features Guide 407
Fortinet Inc.
Policy and Objects
set service "ALL"
set inspection-mode proxy
set logtraffic all
next
end
Test the connection to the access proxy
Before connecting, create a ZTNA rule in FortiClient.
To create a ZTNA rule in FortiClient:
1. Go to the ZTNA Connection Rules tab and click Add Rule.
2. Set Rule Name to Webserver HTTP.
3. Set Destination Host to 10.88.0.1:8080. This is the real IP address and port of the server.
4. Set Proxy Gateway to 10.0.3.11:443. This is the access proxy address and port that are configured on the
FortiGate.
5. Set Encryption to Disable. This option determines whether or not the Client to FortiGate access proxy connection is
encrypted in HTTPS.
6. Click Create.
After creating the ZTNA connection rule, open a browser and access the web page at http://10.88.0.1:8080.
FortiOS 7.0.0 New Features Guide 408
Fortinet Inc.
Policy and Objects
Logs and debugs
1. The forward traffic log will show a log similar to this:
27: date=2021-07-13 time=13:05:00 eventtime=1626206700290129558 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.0.3.2 srcport=61409 srcintf="port3" srcintfrole="wan" dstcountry="Reserved"
srccountry="Reserved" dstip=10.88.0.1 dstport=8080 dstintf="root"
dstintfrole="undefined" sessionid=46959 service="tcp/8080" proto=6 action="accept"
policyid=3 policytype="proxy-policy" poluuid="fe0e1ae8-bdf9-51eb-b86f-c5e2adb934b3"
policyname="ZTNA-TCP" duration=114 wanin=38471 rcvdbyte=38471 wanout=775 lanin=2450
sentbyte=2450 lanout=40643 appcat="unscanned"
2. Use the following WAD debugs to can capture the details about the connection as seen by the FortiGate WAD
daemon. Notice that the HTTP request has tls=0, indicating that the proxy connection between the client and access
proxy is not encrypted.
# diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable
[I][p:224][s:46086][r:16777237] wad_dump_http_request :2542
hreq=0x7f20bdaf5950 Received request from client: 10.0.3.2:62067
GET /tcp?address=10.88.0.1&port=8080&tls=0 HTTP/1.1
Host: 10.0.3.11:443
User-Agent: Forticlient
Accept: */*
Cookie:
Authorization: Basic
…
After reviewing the details, disable or reset the debugs:
# diagnose debug reset
3. On the client PC, perform a packet capture to review the traffic flow between the client (10.0.3.2) and the access
proxy (10.0.3.11) in detail. While the traffic is encapsulated in port 443, the underlying HTTP/8080 requests and
FortiOS 7.0.0 New Features Guide 409
Fortinet Inc.
Policy and Objects
traffic are decoded as clear text.
Packet capture of traffic between 10.0.3.2:60824<->10.0.3.11:443:
Traffic stream:
ZTNA IPv6 examples - 7.0.1
IPv6 can be configured in ZTNA in several scenarios:
l IPv6 Client — IPv6 Access Proxy — IPv6 Server
l IPv6 Client — IPv6 Access Proxy — IPv4 Server
l IPv4 Client — IPv4 Access Proxy — IPv6 Server
These examples show the basic configuration for each scenario. It is assumed that the EMS fabric connector is already
successfully connected.
FortiOS 7.0.0 New Features Guide 410
Fortinet Inc.
Policy and Objects
Example 1: IPv6 Client — IPv6 Access Proxy — IPv6 Server
To configure the FortiGate:
1. Configure the IPv6 access proxy VIP:
config firewall vip6
edit "zv6"
set type access-proxy
set extip 2000:172:18:62::66
set server-type https
set extport 6443
set ssl-certificate "cert"
next
end
2. Configure a virtual host:
config firewall access-proxy-virtual-host
edit "vhost_ipv6"
set ssl-certificate "cert"
set host "qa6.test.com"
next
end
The client uses this address to connect to the access proxy.
3. Configure an IPv6 access proxy and IPv6 api-gateway, apply the VIP6 and virtual host to it, and assign an IPv6
address to the realserver:
config firewall access-proxy6
edit "zs6"
set vip "zv6"
config api-gateway6
edit 1
set virtual-host "vhost_ipv6"
config realservers
edit 1
FortiOS 7.0.0 New Features Guide 411
Fortinet Inc.
Policy and Objects
set ip 2000:172:16:200::209
next
end
next
end
next
end
4. Apply the IPv6 access proxy to a proxy policy:
config firewall proxy-policy
edit 1
set name "ztna_rule"
set proxy access-proxy
set access-proxy6 "zs6"
set srcintf "port2"
set action accept
set schedule "always"
set logtraffic all
set srcaddr6 "all"
set dstaddr6 "all"
set utm-status enable
set ssl-ssh-profile "custom-deep-inspection"
set webfilter-profile "monitor-all"
next
end
5. Apply the IPv6 VIP to a firewall policy:
config firewall policy
edit 4
set name "ZTNA"
set srcintf "port2"
set dstintf "any"
set action accept
set srcaddr6 "all"
set dstaddr6 "zv6"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end
To test the configuration:
1. On an IPv6 client, ensure that the address qa6.test.com resolves to the IPv6 VIP address of 2000:172:18:62::66.
2. In a browser, connect to https://qa6.test.com:6443.
3. After device certificate verification, the browser will open up the webpage on the IPv6 real server.
4. In the Forward Traffic Log, the following log is available:
3: date=2021-06-25 time=13:38:18 eventtime=1624653498459580215 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=2000:10:1:100::214 srcport=55957 srcintf="port2" srcintfrole="undefined"
dstcountry="Reserved" srccountry="Reserved" dstip=2000:172:16:200::209 dstport=443
dstintf="root" dstintfrole="undefined" sessionid=92406 service="HTTPS" proto=6
FortiOS 7.0.0 New Features Guide 412
Fortinet Inc.
Policy and Objects
action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-
67bb86e4bdcf" policyname="ztna_rule" duration=5 wanin=2031 rcvdbyte=2031 wanout=1332
lanin=1247 sentbyte=1247 lanout=950 appcat="unscanned" utmaction="allow" countweb=1
utmref=65445-0
Example 2: IPv6 Client — IPv6 Access Proxy — IPv4 Server
To configure the FortiGate:
1. Configure the IPv6 access proxy VIP:
config firewall vip6
edit "zv6"
set type access-proxy
set extip 2000:172:18:62::66
set server-type https
set extport 6443
set ssl-certificate "cert"
next
end
2. Configure a virtual host:
config firewall access-proxy-virtual-host
edit "vhost_ipv6"
set ssl-certificate "cert"
set host "qa6.test.com"
next
end
The client uses this address to connect to the access proxy.
3. Configure an IPv6 access proxy and IPv6 api-gateway, apply the VIP6 and virtual host to it, and assign an IPv4
address to the realserver:
config firewall access-proxy6
edit "zs6"
set vip "zv6"
config api-gateway6
edit 1
set virtual-host "vhost_ipv6"
config realservers
edit 1
set ip 172.16.200.209
next
end
next
end
next
end
4. Apply the IPv6 access proxy to a proxy policy:
config firewall proxy-policy
edit 1
set name "ztna_rule"
set proxy access-proxy
set access-proxy6 "zs6"
FortiOS 7.0.0 New Features Guide 413
Fortinet Inc.
Policy and Objects
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set logtraffic all
set srcaddr6 "all"
set dstaddr6 "all"
set utm-status enable
set ssl-ssh-profile "custom-deep-inspection"
set webfilter-profile "monitor-all"
next
end
5. Apply the IPv6 VIP to a firewall policy:
config firewall policy
edit 4
set name "ZTNA"
set srcintf "port2"
set dstintf "any"
set action accept
set srcaddr6 "all"
set dstaddr6 "zv6"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end
To test the configuration:
1. On an IPv6 client, ensure that the address qa6.test.com resolves to the IPv6 VIP address of 2000:172:18:62::66.
2. In a browser, connect to https://qa6.test.com:6443.
3. After device certificate verification, the browser will open up the webpage on the IPv4 real server.
4. In the Forward Traffic Log, the following log is available:
2: date=2021-06-25 time=13:46:54 eventtime=1624654014129553521 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=2000:10:1:100::214 srcport=60530 srcintf="port2" srcintfrole="undefined"
dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.209 dstport=443
dstintf="root" dstintfrole="undefined" sessionid=219 service="HTTPS" proto=6
action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-
67bb86e4bdcf" policyname="ztna_rule" duration=5 wanin=2028 rcvdbyte=2028 wanout=1321
lanin=1236 sentbyte=1236 lanout=947 appcat="unscanned" utmaction="allow" countweb=1
utmref=65443-14
FortiOS 7.0.0 New Features Guide 414
Fortinet Inc.
Policy and Objects
Example 3: IPv4 Client — IPv4 Access Proxy — IPv6 Server
To configure the FortiGate:
1. Configure the IPv4 access proxy VIP:
config firewall vip
edit "zv4"
set type access-proxy
set extip 172.18.62.66
set extintf “any”
set server-type https
set extport 4443
set ssl-certificate "cert"
next
end
2. Configure a virtual host:
config firewall access-proxy-virtual-host
edit "vhost_ipv4"
set ssl-certificate "cert"
set host "qa.test.com"
next
end
The client uses this address to connect to the access proxy.
3. Configure an IPv4 access proxy and IPv6 api-gateway, apply the VIP and virtual host to it, and assign an IPv6
address to the realserver:
config firewall access-proxy
edit "zs4"
set vip "zv4"
config api-gateway6
edit 1
set virtual-host "vhost_ipv4"
config realservers
edit 1
set ip 2000:172:16:200::209
next
end
next
end
next
end
4. Apply the IPv4 access proxy to a proxy policy:
config firewall proxy-policy
edit 1
set name "ztna_rule"
set proxy access-proxy
set access-proxy "zs4"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
FortiOS 7.0.0 New Features Guide 415
Fortinet Inc.
Policy and Objects
set logtraffic all
set srcaddr6 "all"
set dstaddr6 "all"
set utm-status enable
set ssl-ssh-profile "custom-deep-inspection"
set webfilter-profile "monitor-all"
next
end
5. Apply the IPv4 VIP to a firewall policy:
config firewall policy
edit 4
set name "ZTNA"
set srcintf "port2"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "zv4"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end
To test the configuration:
1. On an IPv4 client, ensure that the address qa6.test.com resolves to the IPv4 VIP address of 172.18.62.66.
2. In a browser, connect to https://qa6.test.com:6443.
3. After device certificate verification, the browser will open up the webpage on the IPv6 real server.
4. In the Forward Traffic Log, the following log is available:
1: date=2021-06-25 time=13:52:30 eventtime=1624654350689576485 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.1.100.206 srcport=53492 srcintf="port2" srcintfrole="undefined"
dstcountry="Reserved" srccountry="Reserved" dstip=2000:172:16:200::209 dstport=443
dstintf="root" dstintfrole="undefined" sessionid=726 service="HTTPS" proto=6
action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-
67bb86e4bdcf" policyname="ztna_rule" duration=0 wanin=1901 rcvdbyte=1901 wanout=736
lanin=569 sentbyte=569 lanout=3040 appcat="unscanned" utmaction="allow" countweb=1
utmref=65443-28
ZTNA SSH access proxy example - 7.0.1
ZTNA can be configured with SSH access proxy to provide a seamless SSH connection to the server.
Advantages of using an SSH access proxy instead of a TCP forwarding access proxy include:
l Establishing device trust context with user identity and device identity checks.
l Applying SSH deep inspection to the traffic through the SSH related profile.
l Performing optional SSH host-key validation of the server.
FortiOS 7.0.0 New Features Guide 416
Fortinet Inc.
Policy and Objects
l Using one-time user authentication to authenticate the ZTNA SSH access proxy connection and the SSH server
connection.
Perform SSH host-key validation of the server
To act as a reverse proxy for the SSH server, the FortiGate must perform SSH host-key validation to verify the identity of
the SSH server. The FortiGate does this by storing the public key of the SSH server in its SSH host-key configurations.
When a connection is made to the SSH server, if the public key matches one that is used by the server, then the
connection is established. If there is no match, then the connection fails.
One-time user authentication
SSH access proxy allows user authentication to occur between the client and the access proxy, while using the same
user credentials to authenticate with the SSH server. The following illustrates how this works:
1. The remote endpoint registers to FortiClient EMS and receives the client certificate.
2. The remote endpoint tries to connect to the SSH access proxy. It must use the same username that is later used for
access proxy authentication.
3. The FortiGate challenges the endpoint with device identity validation.
4. The remote endpoint provides the EMS issued certificate for device identification.
5. The FortiGate challenges the endpoint with user authentication. For example, this could be done with basic or
SAML authentication.
6. The users enters their credentials on the remote endpoint.
7. The FortiGate authenticates the user and collects the username.
8. Using the FortiGate's CA or the customer's CA certificate, the FortiGate signs an SSH certificate and embeds the
username in its principal.
9. The FortiGate attempts to connect to the SSH server using the certificate authentication.
10. The SSH server verifies the authenticity of the certificate, and matches the username principal against its
authorized_keys file.
11. If the username matches a record in the file, then the SSH connection is established. If no match is found, then the
SSH connection fails.
FortiOS 7.0.0 New Features Guide 417
Fortinet Inc.
Policy and Objects
Example
In this example, an SSH connection is established using SSH access proxy with host-key validation and one-time
authentication.
l The SSH server is a Linux based server that uses sshd to provide remote access
l For SSH host-key validation, the public key of the SSH server has been imported into the FortiGate.
l For one-time authentication using certificate authentication:
l The SSH server must allow certificate authentication.
l The SSH server must have the proper entry in its authorized_keys file that contains the user principal and the
FortiGate CA's public key.
l The entry is present in the user directory corresponding to the user that is trying to log in.
To pre-configure the Linux SSH server:
1. Retrieve the public key used for host-key validation:
a. Locate the public key files in the SSH server:
$ ls -la /etc/ssh/*.pub
-rw-r--r-- 1 root root 186 Mar 29 2020 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 106 Mar 29 2020 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 406 Mar 29 2020 /etc/ssh/ssh_host_rsa_key.pub2
b. Choose the publish key file based on the hash type (in this case, ECDSA), and show it's content:
$ cat /etc/ssh/ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2*********IpEik=
This key will be used when configuring the FortiGate.
2. Retrieve the FortiGate CA’s public key from the FortiGate:
# show full firewall ssh local-ca Fortinet_SSH_CA
config firewall ssh local-ca
edit "Fortinet_SSH_CA"
set password ENC <hidden password>
set private-key "-----BEGIN OPENSSH PRIVATE KEY-----
<hidden private key>
-----END OPENSSH PRIVATE KEY-----"
set public-key "ssh-rsa AAAAB3**********JLXlxj3”
set source built-in
next
end
3. On the Linux server, enable the SSH service to use the authorized_keys file:
a. Locate and edit the /etc/ssh/sshd_config file.
b. Ensure that the AuthorizedKeysFile line is uncommented, for example:
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
4. Allow remote SSH log in with certificate authentication and principal name:
a. Log in to the SSH server using the account that will be granted remote SSH access (in this example: radCurtis):
b. Locate the account's authorized_keys file in the ~/.ssh directory:
$ ls -la ~/.ssh
total 12
FortiOS 7.0.0 New Features Guide 418
Fortinet Inc.
Policy and Objects
drwxrwxr-x 2 radCurtis radCurtis 4096 Aug 10 19:14 .
drwxr-xr-x 5 radCurtis radCurtis 4096 Aug 10 19:13 ..
-rw-rw-r-- 1 radCurtis radCurtis 419 Aug 10 19:14 authorized_keys
c. If the directory and file do not exist, create the directory:
$ mkdir ~/.ssh
d. Create an entry containing the following keywords and add them to the authorized_keys file:
echo 'cert-authority,principals="radCurtis" ssh-rsa AAAAB3**********JLXlxj3' >>
authorized_keys
Where:
l cert-authority - indicates that this entry is used in certificate authentication by validating the
certificate using the public key provided in this entry.
l principals="radCurtis" - indicates the user that must match with the username embedded in the
SSH certificate.
l ssh-rsa AAAAB3**********JLXlxj3 - indicates the FortiGate CA’s public key that is used to validate
the SSH certificate.
5. Restart the sshd service:
$ sudo systemctl stop sshd
$ sudo systemctl start sshd
The SSH server can now accept SSH connection from radCurtis@<server IP>, where the SSH certificate used by
the FortiGate to log in contains radCurtis embedded as a principal.
When a user connects from a SSH client using <username>@<server IP>, sshd will locate the
authorized_keys file in the directory /home/<username>/.ssh/authorized_keys. If the
authorized_keys is not in that directory, authentication will fail on the SSH server side.
If you suspect that authentication is failing on the SSH server, use the following commands to
manually start sshd in debug mode to troubleshoot:
$ sudo systemctl stop sshd
$ /usr/sbin/sshd -ddd -p 22
To configure the FortiGate :
1. Configure a new VIP to allow access to the SSH access proxy over 192.168.2.87:443:
config firewall vip
edit "ZTNA_SSH"
set type access-proxy
set extip 192.168.2.87
set extintf "any"
set server-type https
set extport 443
set ssl-certificate "Fortinet_CA_SSL"
next
end
2. Configure the address object for the SSH server:
FortiOS 7.0.0 New Features Guide 419
Fortinet Inc.
Policy and Objects
config firewall address
edit "SSH_server"
set subnet 192.168.20.1 255.255.255.255
next
end
3. Configure the host-key that will be used to authenticate the SSH server. The public-key was retrieved when pre-
configure the Linux SSH server (step 1b).
config firewall ssh host-key
edit "ecdsa"
set type ECDSA
set usage access-proxy
set public-key "AAAAE2**********IpEik="
next
end
4. Configure the access proxy SSH client certificate:
A CA certificate is assigned to sign the SSH certificate that will be used in the SSH authentication. The SSH
certificate will have the username embedded in the certificate principal.
config firewall access-proxy-ssh-client-cert
edit "ssh-access-proxy"
set source-address enable
set auth-ca "Fortinet_SSH_CA"
next
end
5. Configure the access-proxy server setting:
config firewall access-proxy
edit "ZTNA_SSH"
set vip "ZTNA_SSH"
set client-cert enable
config api-gateway
edit 1
set url-map "tcp"
set service tcp-forwarding
config realservers
edit 1
set address "SSH_server"
set type ssh
set ssh-client-cert "ssh-access-proxy"
set ssh-host-key-validation enable
set ssh-host-key "ed25519"
next
end
next
end
next
end
6. Configure the RADIUS setting, user setting, and user group to apply user authentication to the access proxy
connection using RADIUS:
config user radius
edit "Win2k16-Radius"
set server "192.168.20.6"
FortiOS 7.0.0 New Features Guide 420
Fortinet Inc.
Policy and Objects
set secret ENC <secret>
next
end
config user local
edit "radCurtis"
set type radius
set radius-server "Win2k16-Radius"
next
end
config user group
edit "radius_group"
set member "radCurtis" "Win2k16-Radius"
next
end
7. Create the authentication scheme and rule to perform the authentication:
config authentication scheme
edit "basic_auth"
set method basic
set user-database "Win2k16-Radius"
next
end
config authentication rule
edit "ztna-basic"
set srcaddr "all"
set ip-based disable
set active-auth-method "basic_auth"
set web-auth-cookie enable
next
end
8. Configure the ZTNA rule to allow traffic to the SSH server, and apply user authentication, posture check, and a
security profile where necessary:
config firewall proxy-policy
edit 5
set name "SSH-proxy"
set proxy access-proxy
set access-proxy "ZTNA_SSH"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS8821001056_ems138_av_tag"
set action accept
set schedule "always"
set groups "radius_group"
set utm-status enable
set ssl-ssh-profile "custom-deep-inspection"
next
end
9. Configure the firewall policy to allow the client connection to the SSH access proxy over the VIP:
config firewall policy
edit 35
set name "full-ztna-ssh"
set srcintf "port1"
set dstintf "any"
FortiOS 7.0.0 New Features Guide 421
Fortinet Inc.
Policy and Objects
set action accept
set srcaddr "all"
set dstaddr "ZTNA_SSH"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end
To check the results:
1. On the remote client, open FortiClient, go to the Zero Trust Telemetry tab, and make sure that it is connected to the
EMS server.
2. Go to the ZTNA Connection Rules tab and click Add Rule.
3. Configure the rule, then click Create:
Rule Name SSH-Linux
Destination Host 192.168.20.1:22
Proxy Gateway 192.168.2.87:443
Mode Transparent
Encryption Disabled (recommended)
When Encryption is disabled, the connection between the client and FortiGate access proxy is not encapsulated in
HTTPS after the client and FortiGate connection is established. This allows for less overhead, because SSH is
already a secure connection. This option is available in FortiClient 7.0.1 and later releases.
4. Open an SSH client, such as PuTTy, and make an SSH connection to [email protected] on port 22.
5. After device authentication is performed and passes in the background, FortiClient prompts the user to sign in.
Enter the username, radCurtis, and password, then click Sign in.
After successful user authentication, the SSH connection is established without an additional log in.
FortiOS 7.0.0 New Features Guide 422
Fortinet Inc.
Policy and Objects
6. On the FortiGate, check the logged in user:
a. Go to Dashboard > Users & Devices and expand the Firewall Users widget.
b. Check the WAD proxy user list:
# diagnose wad user list
ID: 2, VDOM: root, IPv4: 10.10.10.25
user name : radCurtis
worker : 0
duration : 614
auth_type : Session
auth_method : Basic
pol_id : 5
g_id : 12
user_based : 0
expire : 53
LAN:
bytes_in=3403 bytes_out=5699
WAN:
bytes_in=3681 bytes_out=3132
7. The successful connection is logged in the forward traffic logs after the SSH connection has disconnected:
# execute log display
25 logs found.
10 logs returned.
1: date=2021-08-11 time=17:59:56 eventtime=1628729996110159120 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.10.10.25 srcport=50627 srcintf="port1" srcintfrole="wan" dstcountry="Reserved"
srccountry="Reserved" dstip=192.168.20.1 dstport=22 dstintf="root"
dstintfrole="undefined" sessionid=1926338 srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f"
service="SSH" proto=6 action="accept" policyid=5 policytype="proxy-policy"
poluuid="16fb5550-e976-51eb-e76c-d45e96dfa5dc" policyname="SSH-proxy" duration=67
user="radCurtis" group="radius_group" authserver="Win2k16-Radius" wanin=3681
rcvdbyte=3681 wanout=3132 lanin=3403 sentbyte=3403 lanout=5699 appcat="unscanned"
FortiOS 7.0.0 New Features Guide 423
Fortinet Inc.
Policy and Objects
Migrating from SSL VPN to ZTNA HTTPS access proxy
ZTNA can be used to replace VPN based teleworking solutions. Teleworking configurations that use SSL VPN tunnel or
web portal mode access with LDAP user authentication can be migrated to ZTNA with HTTPS access proxy.
Scenarios
SSL VPN tunnel mode access with LDAP user authentication
Remote users that are in the ALLOWED-VPN active directory group have access to a specific web server when they
connect through the SSL VPN tunnel. The FortiGate enables split tunneling to the web server so that only traffic to that
destination is routed through the tunnel. The web server hosts internal websites that are only accessible by employees.
SSL VPN Web mode access with LDAP user authentication
Remote users that are in the ALLOWED-VPN active directory group have access to a specific web server when they
connect through the SSL VPN web portal. The FortiGate The web server hosts internal websites that are only accessible
by employees. The pre-defined bookmark to the internal website is the only site that allows remote access.
Configuration
To configure an LDAP server:
config user ldap
edit "WIN2K16-KLHOME-LDAPS"
set server "192.168.20.6"
set server-identity-check disable
set cnid "sAMAccountName"
set dn "dc=KLHOME,dc=local"
set type regular
set username "KLHOME\\Administrator"
set password **********
set secure ldaps
set ca-cert "CA_Cert_1"
set port 636
next
end
FortiOS 7.0.0 New Features Guide 424
Fortinet Inc.
Policy and Objects
To configure a user group:
config user group
edit "KLHOME-ALLOWED-VPN"
set member "WIN2K16-KLHOME-LDAPS"
config match
edit 1
set server-name "WIN2K16-KLHOME-LDAPS"
set group-name "CN=ALLOWED-VPN,DC=KLHOME,DC=local"
next
end
next
end
To configure the tunnel mode portal and SSL VPN settings:
config vpn ssl web portal
edit "tunnel-access"
set tunnel-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
next
end
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "no-access"
config authentication-rule
edit 1
set groups "KLHOME-ALLOWED-VPN"
set portal "tunnel-access"
next
end
end
To configure the web mode portal and SSL VPN settings:
config vpn ssl web portal
edit "web-access"
set web-mode enable
set user-bookmark disable
config bookmark-group
edit "gui-bookmarks"
config bookmarks
edit "winserver"
set url "https://192.168.20.6"
next
end
next
end
set display-connection-tools disable
FortiOS 7.0.0 New Features Guide 425
Fortinet Inc.
Policy and Objects
next
end
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "no-access"
config authentication-rule
edit 1
set groups "KLHOME-ALLOWED-VPN"
set portal "web-access"
next
end
end
To configure a firewall address and policy:
config firewall address
edit "winserver"
set subnet 192.168.20.6 255.255.255.255
next
end
config firewall policy
edit 32
set name "SSLVPNtoWinserver"
set srcintf "ssl.root"
set dstintf "port3"
set srcaddr "all"
set dstaddr "winserver"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set groups "KLHOME-ALLOWED-VPN"
next
end
With both the SSL VVPN tunnel and web portals, the remote user can connect through the SSL VPN and access the
website at https://192.168.20.6. To monitor their access, go to Dashboard > Network and expand the SSL-VPN widget.
Migrating to ZTNA HTTPS access proxy
Both the SSL VPN tunnel and web portals can be migrated into a ZTNA configuration using the same LDAP server and
user group for authentication. The ZTNA solution provides multi-factor authentication using the client certificate, and
additional security posture checks.
FortiOS 7.0.0 New Features Guide 426
Fortinet Inc.
Policy and Objects
Instead of connecting to the SSL VPN tunnel or web portal, the remote user connects to the HTTPS access proxy that
forwards traffic to the web server after authentication and security posture checks are completed. This provides granular
control over who can access the web resource using role-based access control. It also gives the user transparent access
to the website using only their browser.
For more information, see ZTNA HTTPS access proxy example on page 377 and ZTNA HTTPS access proxy with basic
authentication example on page 386.
ZTNA troubleshooting and debugging
The following debug commands can be used to troubleshoot ZTNA issues:
Command Description
# diagnose endpoint fctems test- Verify FortiGate to FortiClient EMS connectivity.
connectivity <EMS>
# execute fctems verify <EMS> Verify the FortiClient EMS’s certificate.
# diagnose test application fcnacd 2 Dump the EMS connectivity information.
# diagnose debug app fcnacd -1 Run real-time FortiClient NAC daemon debugs.
# diagnose debug enable
# diagnose endpoint record list <ip> Show the endpoint record list. Optionally, filter by the endpoint
IP address.
# diagnose endpoint wad-comm find-by Query endpoints by client UID.
uid <uid>
# diagnose endpoint wad-comm find-by Query endpoints by the client IP-VDOM pair.
ip-vdom <ip> <vdom>
# diagnose wad dev query-by uid <uid> Query from WAD diagnose command by UID.
# diagnose wad dev query-by ipv4 <ip> Query from WAD diagnose command by IP address.
# diagnose firewall dynamic list List EMS ZTNA tags and all dynamic IP and MAC addresses.
# diagnose test application fcnacd 7 Check the FortiClient NAC daemon ZTNA and route cache.
# diagnose test application fcnacd 8
# diagnose wad debug enable category Run real-time WAD debugs.
all
# diagnose wad debug enable level
verbose
# diagnose debug enable
# diagnose debug reset Reset debugs when completed
FortiOS 7.0.0 New Features Guide 427
Fortinet Inc.
Policy and Objects
The WAD daemon handles proxy related processing. The FortiClient NAC daemon (fcnacd)
handles FortiGate to EMS connectivity.
Troubleshooting usage and output
1. Verify the FortiGate to EMS connectivity and EMS certificate:
# diagnose endpoint fctems test-connectivity WIN10-EMS
Connection test was successful:
# execute fctems verify WIN10-EMS
Server certificate already verified.
# diagnose test application fcnacd 2
EMS context status:
FortiClient EMS number 1:
name: WIN10-EMS confirmed: yes
fetched-serial-number: FCTEMS0000109188
Websocket status: connected
2. If fcnacd does not report the proper status, run real-time fcnacd debugs:
# diag debug app fcnacd -1
# diag debug enable
3. Verify the following information about an endpoint:
l Network information
l Registration information
l Client certificate information
l Device information
l Vulnerability status
l Relative position with the FortiGate
# diagnose endpoint record list 10.6.30.214
Record #1:
IP Address = 10.6.30.214
MAC Address = 00:0c:29:ba:1e:61
MAC list = 00:0c:29:ba:1e:61;00:0c:29:ba:1e:6b;
VDOM = root (0)
EMS serial number: FCTEMS8821001322
Client cert SN: 17FF6595600A1AF53B87627AB4EBEDD032593E64
Quarantined: no
Online status: online
Registration status: registered
On-net status: on-net
Gateway Interface: port2
FortiClient version: 7.0.0
AVDB version: 84.778
FortiClient app signature version: 18.43
FortiClient vulnerability scan engine version: 2.30
FortiClient UID: 5FCFA3ECDE4D478C911D9232EC9299FD
Host Name: ADPC
…
FortiOS 7.0.0 New Features Guide 428
Fortinet Inc.
Policy and Objects
Number of Routes: (1)
Gateway Route #0:
- IP:10.1.100.214, MAC: 00:0c:29:ba:1e:6b, Indirect: no
- Interface:port2, VFID:0, SN: FG5H1E5819902474
online records: 1; offline records: 0; quarantined records: 0
4. Query the endpoint information, include ZTNA tags, by UID or IP address:
# diagnose endpoint wad-comm find-by uid 5FCFA3ECDE4D478C911D9232EC9299FD
UID: 5FCFA3ECDE4D478C911D9232EC9299FD
status code:ok
Domain: qa.wangd.com
User: user1
Cert SN:17FF6595600A1AF53B87627AB4EBEDD032593E64
EMS SN: FCTEMS8821001322
Routes(1):
- route[0]: IP=10.1.100.214, VDom=root
Tags(3):
- tag[0]: name=ZT_OS_WIN
- tag[1]: name=all_registered_clients
- tag[2]: name=Medium
# diagnose endpoint wad-comm find-by ip-vdom 10.1.100.214 root
UID: 5FCFA3ECDE4D478C911D9232EC9299FD
status code:ok
Domain: qa.wangd.com
User: user1
Cert SN:17FF6595600A1AF53B87627AB4EBEDD032593E64
EMS SN: FCTEMS8821001322
Routes(1):
- route[0]: IP=10.1.100.214, VDom=root
Tags(3):
- tag[0]: name=ZT_OS_WIN
- tag[1]: name=all_registered_clients
- tag[2]: name=Medium
5. Query endpoint information from WAD by UID or IP address:
# diagnose wad dev query-by uid 5FCFA3ECDE4D478C911D9232EC9299FD
Attr of type=0, length=32, value(ascii)=5FCFA3ECDE4D478C911D9232EC9299FD
Attr of type=4, length=30, value(ascii)=MAC_FCTEMS8821001322_ZT_OS_WIN
Attr of type=4, length=26, value(ascii)=FCTEMS8821001322_ZT_OS_WIN
Attr of type=4, length=43, value(ascii)=MAC_FCTEMS8821001322_all_registered_clients
Attr of type=4, length=39, value(ascii)=FCTEMS8821001322_all_registered_clients
Attr of type=4, length=27, value(ascii)=MAC_FCTEMS8821001322_Medium
Attr of type=4, length=23, value(ascii)=FCTEMS8821001322_Medium
Attr of type=5, length=18, value(ascii)[email protected]
Attr of type=6, length=40, value(ascii)=17FF6595600A1AF53B87627AB4EBEDD032593E64
# diagnose wad dev query-by ipv4 10.1.100.214
Attr of type=0, length=32, value(ascii)=5FCFA3ECDE4D478C911D9232EC9299FD
Attr of type=4, length=30, value(ascii)=MAC_FCTEMS8821001322_ZT_OS_WIN
Attr of type=4, length=26, value(ascii)=FCTEMS8821001322_ZT_OS_WIN
Attr of type=4, length=43, value(ascii)=MAC_FCTEMS8821001322_all_registered_clients
Attr of type=4, length=39, value(ascii)=FCTEMS8821001322_all_registered_clients
Attr of type=4, length=27, value(ascii)=MAC_FCTEMS8821001322_Medium
Attr of type=4, length=23, value(ascii)=FCTEMS8821001322_Medium
FortiOS 7.0.0 New Features Guide 429
Fortinet Inc.
Policy and Objects
Attr of type=5, length=18, value(ascii)[email protected]
Attr of type=6, length=40, value(ascii)=17FF6595600A1AF53B87627AB4EBEDD032593E64
6. List all the dynamic ZTNA IP and MAC addresses learned from EMS:
# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0000109188_all_registered_clients: ID(51)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Low: ID(78)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Malicious-File-Detected: ID(190)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
7. Check the FortiClient NAC daemon ZTNA and route cache:
# diagnose test application fcnacd 7
ZTNA Cache:
-uid 5FCFA3ECDE4D478C911D9232EC9299FD: { "tags": [ "ZT_OS_WIN", "all_registered_
clients", "Medium" ], "domain": "qa.wangd.com", "user_name": "user1", "client_cert_sn":
"17FF6595600A1AF53B87627AB4EBEDD032593E64", "owner": "[email protected]", "gateway_
route_list": [ { "gateway_info": { "fgt_sn": "FG5H1E5819902474", "interface": "port2",
"vdom": "root" }, "route_info": [ { "ip": "10.1.100.214", "mac": "00-0c-29-ba-1e-6b",
"route_type": "direct" } ] } ], "ems_sn": "FCTEMS8821001322" }
# diagnose test application fcnacd 8
IP-VfID Cache:
IP: 10.1.100.206, vfid: 0, uid: 3DED29B54386416E9888F2DCBD2B9D21
IP: 10.1.100.214, vfid: 0, uid: 5FCFA3ECDE4D478C911D9232EC9299FD
8. Troubleshoot WAD with real-time debugs to understand how the proxy handled a client request:
# diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable
[0x7fbd7a46bb60] Received request from client: 10.10.10.20:56312
GET / HTTP/1.1 Host: 192.168.2.86:8443 Connection: keep-alive Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,ap
plication/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-
Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-
Language: en-US,en;q=0.9 [p:29957][s:458767][r:1] wad_http_marker_uri(1269): path=/
len=1
[p:29957][s:458767][r:1] wad_http_parse_host(1641): host_len=17
[p:29957][s:458767][r:1] wad_http_parse_host(1677): len=12
[p:29957][s:458767][r:1] wad_http_parse_host(1686): len=4
[p:29957][s:458767][r:1] wad_http_str_canonicalize(2180): path=/ len=1 changes=0
[p:29957][s:458767][r:1] wad_http_str_canonicalize(2189): path=/ len=1 changes=0
[p:29957][s:458767][r:1] wad_http_normalize_uri(2232): host_len=12 path_len=1 query_
FortiOS 7.0.0 New Features Guide 430
Fortinet Inc.
Policy and Objects
len=0
[p:29957][s:458767][r:1] wad_vs_proxy_match_gwy(2244): 6:WIN2K16-P1: matching gwy with
vhost(_def_virtual_host_)
[p:29957][s:458767][r:1] wad_vs_proxy_match_vhost(2293): 6:WIN2K16-P1: matching vhost
by: 192.168.2.86
[p:29957][s:458767][r:1] wad_vs_matcher_map_find(477): Empty matcher!
[p:29957][s:458767][r:1] wad_vs_proxy_match_vhost(2296): 6:WIN2K16-P1: no host matched.
[p:29957][s:458767][r:1] wad_vs_proxy_match_gwy(2263): 6:WIN2K16-P1: matching gwy by (/)
with vhost(_def_virtual_host_).
[p:29957][s:458767][r:1] wad_pattern_matcher_search(1210): pattern-match succ:/
[p:29957][s:458767][r:1] wad_vs_proxy_match_gwy(2271): 6:WIN2K16-P1: Matched gwy(1) type
(https).
[p:29957][s:458767][r:1] wad_http_vs_check_dst_ovrd(776): 6:WIN2K16-P1:1: Found server:
192.168.20.6:443
[p:29957][s:458767][r:1] wad_http_req_exec_act(9296): dst_addr_type=3 wc_nontp=0 sec_
web=1 web_cache=0 req_bypass=0
[p:29957][s:458767][r:1] wad_http_req_check_policy(8117): starting policy matching(vs_
pol= 1):10.10.10.20:56312->192.168.20.6:443
[p:29957][s:458767][r:1] wad_fw_addr_match_ap(1524): matching ap:WIN2K16(7) with vip
addr:WIN2K16-P1(10)
[p:29957][s:458767][r:1] wad_fw_addr_match_ap(1524): matching ap:WIN2K16-P1(10) with vip
addr:WIN2K16-P1(10)
[p:29957][s:458767][r:1] wad_http_req_policy_set(6811): match pid=29957 policy-id=2 vd=0
in_if=3, out_if=7 10.10.10.20:56312 -> 192.168.20.6:443
[p:29957][s:458767][r:1] wad_cifs_profile_init(93): CIFS Profile 0x7fbd7a5bf200 [] of
type 0 created
[p:29957][s:458767][r:1] wad_http_req_proc_policy(6622): web_cache(http/https=0/0, fwd_
srv=<nil>.
[p:29957][s:458767][r:1] wad_auth_inc_user_count(1668): increased user count,
quota:128000, n_shared_user:2, vd_used: 2, vd_max: 0, vd_gurantee: 0
[p:29957][s:458767][r:1] __wad_fmem_open(563): fmem=0xaaee3e8, fmem_name='cmem 336
bucket', elm_sz=336, block_sz=73728, overhead=20, type=advanced
[p:29957][s:458767][r:1] __wad_hauth_user_node_hold(2107): wad_hauth_user_node_alloc
(1568): holding node 0x7fbd76d48060
mapping user_node:0x7fbd76d48060, user_ip:0x7fbd7a57b408(0), user:0x7fbd7a5cf420(0)
[p:29957][s:458767][r:1] __wad_hauth_user_node_hold(2107): wad_user_node_stats_hold
(483): holding node 0x7fbd76d48060
[p:29957][s:458767][r:1] __wad_hauth_user_node_hold(2107): wad_http_session_upd_user_
node (4813): holding node 0x7fbd76d48060
[p:29957][s:458767][r:1] wad_http_req_proc_policy(6698): policy result:vf_id=0:0 sec_
profile=0x7fbd7a5bef00 set_cookie=0
[p:29957][s:458767][r:1] wad_http_urlfilter_check(381): uri_norm=1 inval_host=0 inval_
url=0 scan-hdr/body=1/0 url local=0 block=0 user-cat=0 allow=0 ftgd=0 keyword=0 wisp=0
[p:29957][s:458767][r:1] wad_http_req_proc_waf(1309): req=0x7fbd7a46bb60 ssl.deep_scan=1
proto=10 exempt=0 waf=(nil) body_len=0 ua=Chrome/89.0.4389.90 skip_scan=0
[p:29957][s:458767][r:1] wad_http_req_proc_antiphish(5376): Processing antiphish request
[p:29957][s:458767][r:1] wad_http_req_proc_antiphish(5379): No profile
[p:29957][s:458767][r:1] wad_http_connect_server(4696): http session 0x7fbd7a532ac8
req=0x7fbd7a46bb60
[p:29957][s:458767][r:1] wad_http_srv_still_good(4575): srv((nil)) nontp(0) dst_type(3)
req: dst:192.168.20.6:443, proto:10)
hcs: dst:N/A:0, proto:1)
Always reset the debugs after using them:
# diagnose debug reset
FortiOS 7.0.0 New Features Guide 431
Fortinet Inc.
Policy and Objects
ZTNA logging enhancements - 7.0.1
The ZTNA log subtype is added to UTM logs and a traffic log ID is added for ZTNA related traffic.
There are six events that generate logs in the subtype:
1. Received an empty client certificate
2. Received a client certificate that fails to validate
3. API gateway cannot be matched
4. None of the real servers can be reached
5. ZTNA rule (proxy policy) cannot be matched
6. HTTPS SNI virtual host does not match the HTTP host header
ZTNA related traffic will generate logs when logging all allowed traffic is enabled in the policy.
To enable logging all traffic in a policy in the GUI:
1. Go to Policy & Objects > Firewall Policy and edit a policy.
2. Set Log Allowed Traffic to All Sessions.
3. Click OK.
To enable logging all traffic in a policy in the CLI:
config firewall policy
edit <policy number>
...
set logtraffic all
next
end
Log samples
A client PC (10.1.100.206) is connected to port2 on the FortiGate. The FortiGate is also connected to a FortiClient EMS,
and a real server that is defined in the ZTNA server API gateway.
l Access proxy server: zs2
l Access proxy VIP: zv2
l Access proxy VIP external IP address: 172.18.62.112
l Mapped real server IP address: 172.18.60.65
UTM and traffic log samples for each of the six event types:
1. Received an empty client certificate:
When connecting to the ZTNA access proxy, the client did not send a client certificate to the FortiGate for
verification. The empty certificate is disallowed and blocked.
Traffic log:
FortiOS 7.0.0 New Features Guide 432
Fortinet Inc.
Policy and Objects
1: date=2021-06-09 time=16:36:54 eventtime=1623281814371412983 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.1.100.206 srcport=56494 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=21453 proto=6 action="deny"
policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0
sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: empty
client certificate" utmref=65483-0
UTM log:
1: date=2021-06-09 time=16:36:54 eventtime=1623281814371409480 tz="-0700"
logid="2100060500" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning"
vd="root" msg="Client sends an empty certificate" policyid=5 sessionid=21453
srcip=10.1.100.206 dstip=172.18.62.112 srcport=56494 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked"
service="HTTPS" vip="zv2" accessproxy="zs2"
2. Received a client certificate that fails to validate:
When connecting to the ZTNA access proxy, the client sends a client certificate to the FortiGate for verification, but
the certificate fails validation.
Traffic log:
2: date=2021-06-09 time=15:06:47 eventtime=1623276407372012365 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.1.100.206 srcport=55910 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=16810 proto=6 action="deny"
policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0
sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: client
certificate authentication failed" utmref=65491-0
UTM log:
1: date=2021-06-09 time=15:06:47 eventtime=1623276407372009447 tz="-0700"
logid="2100060501" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning"
vd="root" msg="Client certificate has security problem" policyid=5 sessionid=16810
srcip=10.1.100.206 dstip=172.18.62.112 srcport=55910 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked"
service="HTTPS" vip="zv2" accessproxy="zs2" desc="cert auth failed, cert-
cn:qa.wangd.com, cert-issuer:qa.wangd.com, cert-status:failure "
3. API gateway cannot be matched:
When connecting to the ZTNA access proxy, the client tries to connect to an API gateway that does not match any
virtual host.
Traffic log:
1: date=2021-06-09 time=15:15:39 eventtime=1623276939601851410 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=17152 proto=6 action="deny"
policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0
FortiOS 7.0.0 New Features Guide 433
Fortinet Inc.
Policy and Objects
sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed
to match an API-gateway" utmref=65490-0
UTM log:
2: date=2021-06-09 time=15:15:39 eventtime=1623276939601849940 tz="-0700"
logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning"
vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17152
srcip=10.1.100.206 dstip=172.18.62.112 srcport=55974 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked"
service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url
(https://qbcd.test.com/test123456) failed to match an API-gateway with vhost
(name/hostname:_def_virtual_host_/_def_virtual_host_)"
4. None of the real servers can be reached:
When connecting to the ZTNA access proxy, the client tries to connect to an API gateway but the real server cannot
be reached.
Traffic log:
1: date=2021-06-09 time=15:17:49 eventtime=1623277069371491908 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.1.100.206 srcport=55988 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=17233 proto=6 action="deny"
policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0
sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed
to match an API-gateway" utmref=65489-0
UTM log:
2: date=2021-06-09 time=15:17:49 eventtime=1623277069371490614 tz="-0700"
logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning"
vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17233
srcip=10.1.100.206 dstip=172.18.62.112 srcport=55988 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked"
service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url
(https://qbcd.test.com/test123456) failed to match an API-gateway with vhost
(name/hostname:_def_virtual_host_/_def_virtual_host_)"
5. ZTNA rule (proxy policy) cannot be matched:
When connecting to the ZTNA access proxy, a ZTNA rule (proxy policy ) cannot be matched. For example, no ZTNA
rule is matched for the ZTNA tag assigned to the endpoint.
Traffic log:
1: date=2021-06-09 time=15:20:20 eventtime=1623277220133106783 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.1.100.206 srcport=56010 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=17456 proto=6 action="deny"
policyid=0 policytype="proxy-policy" service="HTTPS" trandisp="noop" duration=0
sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block"
countztna=2 msg="Denied: failed to match a proxy-policy" utmref=65488-26
UTM log:
2: date=2021-06-09 time=15:20:20 eventtime=1623277220133105204 tz="-0700"
logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match"
FortiOS 7.0.0 New Features Guide 434
Fortinet Inc.
Policy and Objects
level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-
policy" policyid=0 sessionid=17456 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56010
dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root"
dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="zv2"
accessproxy="zs2"
6. HTTPS SNI virtual host does not match the HTTP host header:
Traffic log:
1: date=2021-06-09 time=15:24:25 eventtime=1623277465275004842 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.1.100.206 srcport=56040 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=17614 proto=6 action="deny"
policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0
sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed
to match an API-gateway" utmref=65486-0
UTM log:
2: date=2021-06-09 time=15:24:25 eventtime=1623277465275003194 tz="-0700"
logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning"
vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17614
srcip=10.1.100.206 dstip=172.18.62.112 srcport=56040 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked"
service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://aq4.test.com/)
failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_
host_)"
Logical AND for ZTNA tag matching - 7.0.2
When specifying ZTNA tags in a rule, logical AND can be used for tag matching.
When editing a ZTNA rule:
l If Match ZTNA Tags is set to All the client must match all of the tags (logical AND).
l If Match ZTNA Tags is set to Any the client can match any of the tags (logical OR).
In these examples, there are two PCs with FortiClient: PC120 at 10.1.100.120 and PC117 at 10.1.100.117. There are
two ZTNA EMS tags: ems138_av_tag and ems138_running_app_tag. PC120 has both of them, and PC117 only has
one.
It is assumed that ZTNA has already been configured. For information, see Zero Trust Network Access in the FortiOS
Administration Guide.
FortiOS 7.0.0 New Features Guide 435
Fortinet Inc.
Policy and Objects
Logical AND example
To configure a ZTNA rule that requires both ZTNA EMS tags in the GUI:
1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.
2. Configure the rule, adding both ZTNA EMS tags to ZTNA Tag, and setting Match ZTNA Tags to All.
3. Click OK.
To configure a ZTNA rule that requires both ZTNA EMS tags in the CLI:
config firewall proxy-policy
edit 1
set name "r1"
set proxy access-proxy
set access-proxy "ZTNA_S1"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS8821001056_ems138_av_tag" "FCTEMS8821001056_ems138_running_
app_tag"
set ztna-tags-match-logic and
set action accept
set schedule "always"
next
end
To check the results:
l PC117 only has one tag, so ZTNA traffic is blocked:
# diagnose test application fcnacd 7
ZTNA Cache V2:
Entry #2:
- UID: 083078C718674C72B7C8CA0C09EB99C7
- Domain:
FortiOS 7.0.0 New Features Guide 436
Fortinet Inc.
Policy and Objects
- User: frank_117
- Owner:
- Certificate SN: 03CBD682154035C5E5FEA27F83DFC8F7398CDC60
- EMS SN: FCTEMS8821001056
- online: true
- Routes (2):
-- Route #0: IP=10.1.100.117, vfid=0
- Tags (4):
-- Tag (#0): Low
-- Tag (#1): all_registered_clients
-- Tag (#2): ems138_av_tag
-- Tag (#3): ems138_management_tag
lls_idx_mask = 0x00000001,
The WAD debug shows:
[V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev_grp :4651 dev tag
matching, info=0x7efff2ea7430, tag_cnt=8, on_line=1,conf ems-tag size=2
[V][p:296][s:413990][r:117440514] wad_dev_addr_match :275 conf tag
name:FCTEMS8821001056_ems138_av_tag(30) matched, id=12! <----HERE
[V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev_grp :4687 pol_id = 1
unmatched dev id = 12
[V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev :4705 pol_id = 1
matched = 0
[V][p:296][s:413990][r:117440514] wad_fw_addr_match_ap :1035 matching
ap:ZTNA_S2(7) with vip addr:ZTNA_S1(7)
[I][p:296][s:413990][r:117440514] wad_http_req_policy_set :8009 match pid=296
policy-id=0 vd=0 in_if=4, out_if=13 10.1.100.117:49341 -> 172.18.62.27:443
[V][p:296][s:413990][r:117440514] wad_https_ap_pol_info_get :7946 policy info
created, req=0x7efff02b6048, ses_ctx=0x7efff2f2e3a8, info=0x7efff32a8288
[I][p:296][s:413990][r:117440514] wad_http_req_proc_policy :7735 web_cache
(http/https=0/0, fwd_srv=<nil>.
[E][p:296][s:413990][r:117440514] wad_http_req_proc_policy :7755 POLICY DENIED
l PC120 has both tags, so ZTNA traffic is passed:
# diagnose test application fcnacd 7
ZTNA Cache V2:
Entry #1:
- UID: 5721ED0374564878BFA1725C5555CEBA
- Domain: fortios.local131
- User: tester1
- Owner:
- Certificate SN: 48EC63DCF1234D41AEE2B4301017F74893FC291A
- EMS SN: FCTEMS8821001056
- online: true
- Routes (2):
-- Route #0: IP=10.1.100.120, vfid=0
- Tags (6):
-- Tag (#0): ems138_running_app_tag
-- Tag (#1): all_registered_clients
-- Tag (#2): ems138_av_tag
-- Tag (#3): ems138_vulnerability_tag
-- Tag (#4): ems138_management_tag
FortiOS 7.0.0 New Features Guide 437
Fortinet Inc.
Policy and Objects
-- Tag (#5): Low
lls_idx_mask = 0x00000001,
The WAD debug shows:
[V][p:293][s:413402][r:67108866] wad_fw_policy_match_dev_grp :4651 dev tag
matching, info=0x7f918e62e608, tag_cnt=12, on_line=1,conf ems-tag size=2
[V][p:293][s:413402][r:67108866] wad_dev_addr_match :275 conf tag
name:FCTEMS8821001056_ems138_av_tag(30) matched, id=12!
[V][p:293][s:413402][r:67108866] wad_dev_addr_match :275 conf tag
name:FCTEMS8821001056_ems138_running_app_tag(39) matched, id=13!
[V][p:293][s:413402][r:67108866] wad_fw_policy_match_dev :4705 pol_id = 1
matched = 1
[I][p:293][s:413402][r:67108866] wad_http_req_policy_set :8009 match pid=293
policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.120:57150 -> 172.18.62.27:443
Logical OR example
To configure a ZTNA rule that requires one of the ZTNA EMS tags in the GUI:
1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.
2. Configure the rule, adding both ZTNA EMS tags to ZTNA Tag, and setting Match ZTNA Tags to Any.
3. Click OK.
To configure a ZTNA rule that requires one of the ZTNA EMS tags in the CLI:
config firewall proxy-policy
edit 1
set name "r1"
set proxy access-proxy
set access-proxy "ZTNA_S1"
set srcintf "wan2"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS8821001056_ems138_av_tag" "FCTEMS8821001056_ems138_running_
app_tag"
set ztna-tags-match-logic or
set action accept
set schedule "always"
next
end
To check the results:
Traffic on both PC120 and PC117 is passed succesfully.
The WAD debugs show:
[[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev_grp :4651 dev tag matching,
info=0x7f863d7e3430, tag_cnt=8, on_line=1,conf ems-tag size=2
[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev_grp :4666 pol_id = 1 matched
dev id = 18
[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev :4705 pol_id = 1 matched
= 1
[I][p:294][s:650635][r:83886096] wad_http_req_policy_set :8009 match pid=294
policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.117:55597 -> 172.18.62.27:443
FortiOS 7.0.0 New Features Guide 438
Fortinet Inc.
Policy and Objects
[V][p:294][s:650635][r:83886096] wad_https_ap_pol_info_get :7946 policy info
created, req=0x7f863d90a048, ses_ctx=0x7f863fc79ad8, info=0x7f863d7f7bb0
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev_grp :4651 dev tag matching,
info=0x7f1ad65a1228, tag_cnt=12, on_line=1,conf ems-tag size=2
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev_grp :4666 pol_id = 1 matched
dev id = 18
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev :4705 pol_id = 1 matched
= 1
[I][p:290][s:650172][r:16777220] wad_http_req_policy_set :8009 match pid=290
policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.120:50865 -> 172.18.62.27:443
[V][p:290][s:650172][r:16777220] wad_https_ap_pol_info_get :7946 policy info
created, req=0x7f1ad3ef1048, ses_ctx=0x7f1ad652ead8, info=0x7f1ad3e76048
Implicitly generate a firewall policy for a ZTNA rule - 7.0.2
The firewall policy to forward traffic to the access proxy VIP is implicitly generated based on the ZTNA rule configuration,
and does not need to be manually created.
To configure a ZTNA access proxy in the GUI, create the ZTNA server and then use the server in a ZTNA rule. Rules
must include a source interface to indicate where the traffic is sourced from.
When upgrading to FortiOS 7.0.2, the ZTNA rule source interface will be set to any and all full ZTNA firewall policies will
automatically be removed.
To perform IP/MAC filtering with ZTNA tags in a firewall policy, assign tags in the IP/MAC Based Access Control field.
The toggle to select Full ZTNA or IP/MAC filtering is removed.
These examples assume that the FortiGate EMS fabric connector is already successfully connected.
Example 1 - Configuring a ZTNA HTTPS access proxy
In this example, a ZTNA access proxy is configured for HTTP access to the Web server from a remote endpoint.
To configure the ZTNA server in the GUI:
1. Go to Policy & Objects > ZTNA, select the ZTNA Servers tab, and click Create New.
2. Set Name to WIN2K16-P1.
FortiOS 7.0.0 New Features Guide 439
Fortinet Inc.
Policy and Objects
3. Configure the Network settings:
a. Set External interface to port1.
b. Set External IP to 192.168.2.86.
c. Set External port to 8443.
4. Select a Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP.
5. Add a server mapping:
a. In the Service/server mapping table click Create New.
b. Set Service to HTTPS
c. Set Virtual Host to Any Host.
d. Add a server:
i. In the Servers table click Create New.
ii. Set IP to 192.168.20.6.
iii. Set Port to 443.
iv. Set Status as Active.
v. Click OK.
e. Click OK.
6. Click OK.
To configure a ZTNA rule in the GUI:
1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.
2. Set Name to proxy-WIN2K16-P1.
3. Set Incoming Interface to port1.
4. Set Source to all.
5. In ZTNA Tag add Low
6. In ZTNA Server add WIN2K16-P1.
7. Set Destination to all.
8. Set Action to ACCEPT.
9. Configure the remaining options as needed.
10. Click OK.
FortiOS 7.0.0 New Features Guide 440
Fortinet Inc.
Policy and Objects
To configure HTTPS access in the CLI:
1. Configure the access proxy VIP:
config firewall vip
edit "WIN2K16-P1"
set type access-proxy
set extip 192.168.2.86
set extintf "port1"
set server-type https
set extport 8443
set ssl-certificate "Fortinet_SSL"
next
end
2. Configure the server and path mapping:
config firewall access-proxy
edit "WIN2K16-P1"
set vip "WIN2K16-P1"
set client-cert enable
config api-gateway
edit 1
config realservers
edit 1
set ip 192.168.20.6
next
end
next
end
next
end
3. Configure the ZTNA rule:
config firewall proxy-policy
edit 1
set name "proxy-WIN2K16-P1"
set proxy access-proxy
set access-proxy "WIN2K16-P1"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS0000109188_Low"
set action accept
set schedule "always"
set logtraffic all
next
end
To test the remote access to the HTTPS access proxy:
1. On the remote endpoint, open FortiClient.
2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
3. Open a browser and go to the address of the server, in this case https://winserver.fgdocs.com:8443, which resolves
to 192.168.2.86:8443.
4. The browser prompts for the client certificate to use. Select the EMS signed certificate then click OK.
FortiOS 7.0.0 New Features Guide 441
Fortinet Inc.
Policy and Objects
The client is verified by the FortiGate to authenticate your identity.
The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding ZTNA
rule, and you are allowed access to the web server.
5. Check the access in the Traffic log on the FortiGate:
# execute log filter category 0
# execute log display
…
1: date=2021-10-17 time=23:45:42 eventtime=1634539543024700086 tz="-0700"
logid="0001000014" type="traffic" subtype="local" level="notice" vd="root"
srcip=10.10.10.20 srcport=65474 srcintf="port1" srcintfrole="wan" dstip=192.168.2.86
dstport=8443 dstintf="root" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-
ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=278276 proto=6
action="close" policyid=1 policytype="proxy-policy" poluuid="1aafa942-2fdc-51ec-b89f-
47fb64264865" policyname="proxy-WIN2K16-P1" service="tcp/8443" trandisp="noop"
app="tcp/8443" duration=18 sentbyte=5606 rcvdbyte=108762 sentpkt=47 rcvdpkt=80
appcat="unscanned" mastersrcmac="08:5b:0e:ea:7f:d4" srcmac="08:5b:0e:ea:7f:d4"
srcserver=0
Example 2 - Configuring a policy to perform posture checks using ZTNA tags
In this example, IP/MAC based access control is configured to allow traffic from an internal subnet when the endpoint is
tagged as Low risk.
To configure a firewall policy to use IP/MAC based access control in the GUI:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Set Name to allow-internal-access.
3. Set Incoming Interface to default.35.
4. Set Outgoing Interface to port3.
5. Set Source to all.
6. In IP/MAC Based Access Control add the ZTNA tag Low.
7. Set Destination to all.
8. Set Service to ALL.
9. Set Action to ACCEPT.
10. Enable Log Allowed Traffic and set it to All Sessions.
FortiOS 7.0.0 New Features Guide 442
Fortinet Inc.
Policy and Objects
11. Configuring the remaining options as needed.
12. Click OK.
To configure a firewall policy to use IP/MAC based access control in the CLI:
config firewall policy
edit 30
set name "allow-internal-access"
set srcintf "default.35"
set dstintf "port3"
set action accept
set ztna-status enable
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS0000109188_Low"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end
To test the access to the web server from the on-net client endpoint:
1. On the on-net endpoint, open FortiClient.
2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
3. Open a browser and go to the address of the server.
The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding firewall
policy (allow-internal-access), and you are allowed access to the web server.
4. Check the access in the Traffic log on the FortiGate:
# execute log filter category 0
# execute log filter field dstip 192.168.20.6
# execute log display
…
1: date=2021-10-18 time=09:17:19 eventtime=1634573839454698399 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=192.168.40.6 srcname="Fortinet-KeithL" srcport=62756 srcintf="default.35"
srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3"
dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f"
dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved"
dstcountry="Reserved" sessionid=330678 proto=6 action="close" policyid=30
policytype="policy" poluuid="8f6ea492-9034-51eb-f197-c00d803b7489" policyname="allow-
internal-access" service="HTTPS" trandisp="snat" transip=192.168.20.5 transport=62756
duration=6 sentbyte=3468 rcvdbyte=107732 sentpkt=50 rcvdpkt=80
fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli"
unauthusersource="forticlient" appcat="unscanned" mastersrcmac="24:b6:fd:fa:54:c1"
srcmac="24:b6:fd:fa:54:c1" srcserver=0 dstosname="Windows" dstswversion="10"
masterdstmac="52:54:00:e3:4c:1a" dstmac="52:54:00:e3:4c:1a" dstserver=0
FortiOS 7.0.0 New Features Guide 443
Fortinet Inc.
Policy and Objects
Posture check verification for active ZTNA proxy session - 7.0.2
Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no
longer compliant with the ZTNA policy.
The FortiGate monitors changes to the endpoint tags that are updated by EMS with the fcnacd process. When a change
is detected, the endpoint's active ZTNA sessions must match the ZTNA policy again before data can pass.
Changes to the ZTNA policy, such as changing the ZTNA tag matching logic, will also trigger re-verification of the client
device against the policy.
The remote endpoint accesses the RDP server through the TCP forwarding access proxy. The proxy is managed by the
FortiClient EMS server, which has a ZTNA tagging rule that assigns the AV-enabled tag to endpoints that have Windows
antivirus enabled, and the Low risk host tag to endpoints that are low risk.
These examples assume that the FortiGate EMS fabric connector has already connected successfully, and a ZTNA
server named WIN2K16-P1-RDP that forwards traffic to the RDP server has been configured.
Example 1 - The ZTNA tag status changes on the endpoint
In this example, a ZTNA rule is configured to allow access for endpoints that have the AV-enabled tag. After an RDP
sessions is established, Windows antivirus is disabled on the remote endpoint. The FortiGate re-verifies the session and
the active RDP session is removed from the FortiGate session table, causing the RDP session to be disconnected.
To configure the ZTNA rule in the GUI:
1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.
2. Set Name to TCP-forward-WIN2K16.
3. Set Incoming Interface to port1.
4. Set Source to all.
5. In ZTNA Tag add AV-enabled
6. In ZTNA Server add WIN2K16-P1-RDP.
7. Set Destination to all.
8. Set Action to ACCEPT.
9. Configure the remaining options as needed.
10. Click OK.
To configure the ZTNA rule in the CLI:
config firewall proxy-policy
edit 4
FortiOS 7.0.0 New Features Guide 444
Fortinet Inc.
Policy and Objects
set name "TCP-forward-WIN2K16"
set proxy access-proxy
set access-proxy "WIN2K16-P1-RDP"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS0000109188_AV-enabled"
set action accept
set schedule "always"
set logtraffic all
next
end
To test the example:
1. On the remote endpoint, open FortiClient.
2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
3. Add a ZTNA rule:
a. On the ZTNA Connection Rules tab, click Add Rule.
b. Configure the ZTNA rule:
Rule Name RDP-WIN2K16
Destination Host 192.168.20.6:3389
Proxy Gateway 192.168.2.86:443
Encryption Disabled
c. Click Create.
4. Ensure that the endpoint has Windows antivirus enabled.
5. Open an RDP session to connect to the RDP server at 192.168.20.6.
6. After a successful connection, on the FortiGate:
a. The endpoint is detected and marked with the AV-enabled tag:
# diagnose test application fcnacd 7
ZTNA Cache V2:
Entry #1:
-
UID: F4F3263AEBE54777A6509A8FCCDF9284
-
Domain:
-
User: keithli
-
Owner:
-
Certificate SN: 1626C2C10E6AD97D71FA9E2D9C314C1F5C03D68B
-
EMS SN: FCTEMS0000109188
-
online: true
-
Tags (3):
-- Tag (#0): AV-enabled
-- Tag (#1): all_registered_clients
-- Tag (#2): Low
lls_idx_mask = 0x00000001,
b. A session is created:
FortiOS 7.0.0 New Features Guide 445
Fortinet Inc.
Policy and Objects
# diagnose sys session filter dst 192.168.2.86
# diagnose sys session filter src 10.10.10.25
# diagnose sys session list
session info: proto=6 proto_state=01 duration=191 expire=3599 timeout=3600
flags=00000000 socktype=0 sockport=1012 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log local may_dirty f24
statistic(bytes/packets/allow_err): org=58031/376/1 reply=66864/351/1 tuples=2
tx speed(Bps/kbps): 303/2 rx speed(Bps/kbps): 349/2
orgin->sink: org pre->in, reply out->post dev=3->7/7->3 gwy=192.168.2.86/0.0.0.0
hook=pre dir=org act=noop 10.10.10.25:60668->192.168.2.86:443(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.2.86:443->10.10.10.25:60668(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=08:5b:0e:ea:7f:d4
misc=7 policy_id=4 pol_uuid_idx=14853 auth_info=0 chk_client_info=0 vd=0
serial=00000c0b tos=00/00 app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
total session 1
c. The forward traffic log indicates that traffic is allowed:
# execute log filter category 0
# execute log filter field dstip 192.168.20.6
# execute log display
...
11: date=2021-10-18 time=11:22:16 eventtime=1634581336644493852 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.10.10.25 srcport=60660 srcintf="port1" srcintfrole="wan"
dstcountry="Reserved" srccountry="Reserved" dstip=192.168.20.6 dstport=3389
dstintf="root" dstintfrole="undefined" sessionid=2550 srcuuid="5445be2e-5d7b-51ea-
e2c3-ae6b7855c52f" service="RDP" proto=6 action="accept" policyid=4
policytype="proxy-policy" poluuid="ce8f82d0-8fb3-51eb-0a17-5e6a6a51ff27"
policyname="TCP-forward-WIN2K16" duration=0 wanin=1578 rcvdbyte=1578 wanout=1107
lanin=2788 sentbyte=2788 lanout=3750 srchwvendor="Fortinet" devtype="Network"
srcfamily="Firewall" osname="FortiOS" srchwversion="FortiWiFi-30E" appcat="unscanned"
7. On the remote endpoint, disable Windows antivirus.
FortiClient EMS detects a change in ,and removes the AV-enabled tag on the FortiClient endpoint.
8. Due to the change in posture, the RDP session is disconnected:
a. The endpoint is no longer marked with the AV-enabled tag:
# diagnose test application fcnacd 7
ZTNA Cache V2:
Entry #1:
- UID: F4F3263AEBE54777A6509A8FCCDF9284
- Domain:
- User: keithli
- Owner:
FortiOS 7.0.0 New Features Guide 446
Fortinet Inc.
Policy and Objects
-
Certificate SN: 1626C2C10E6AD97D71FA9E2D9C314C1F5C03D68B
-
EMS SN: FCTEMS0000109188
-
online: true
-
Tags (2):
-- Tag (#0): all_registered_clients
-- Tag (#1): Low
lls_idx_mask = 0x00000001,
b. The previous session is removed:
# diagnose sys session filter dst 192.168.2.86
# diagnose sys session filter src 10.10.10.25
# diagnose sys session list
total session 0
c. The forward traffic log indicates that traffic is denied:
# execute log display
7: date=2021-10-18 time=11:31:45 eventtime=1634581905530844852 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.10.10.25 srcport=60668 srcintf="port1" srcintfrole="wan" dstip=192.168.20.6
dstport=3389 dstintf="root" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-
ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved"
dstcountry="Reserved" sessionid=3083 proto=6 action="deny" policyid=4
policytype="proxy-policy" poluuid="ce8f82d0-8fb3-51eb-0a17-5e6a6a51ff27"
policyname="TCP-forward-WIN2K16" service="RDP" trandisp="noop" duration=0 sentbyte=0
rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1
msg="Denied: failed to match a proxy-policy" utmref=65349-5754
d. The ZTNA log indicates that traffic is denied:
# execute log filter category 21
# execute log display
6: date=2021-10-18 time=11:31:45 eventtime=1634581905530840484 tz="-0700"
logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match"
level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-
policy" policyid=4 sessionid=3083 srcip=10.10.10.25 dstip=192.168.20.6 srcport=60668
dstport=3389 srcintf="port1" srcintfrole="wan" dstintf="root" dstintfrole="undefined"
proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="WIN2K16-P1-RDP"
accessproxy="WIN2K16-P1-RDP" clientdeviceid="F4F3263AEBE54777A6509A8FCCDF9284"
clientdevicetags="MAC_FCTEMS0000109188_Low/FCTEMS0000109188_all_registered_
clients/MAC_FCTEMS0000109188_all_registered_clients/FCTEMS0000109188_Low"
Example 2 - The ZTNA rule tag checking logic changes
In this example, a ZTNA rule is configured to allow access to endpoints that have at least one of the AV-enabled or Low
ZTNA tags. A remote user who has Windows antivirus disabled, but is low risk, successfully establishes an RDP session
over the ZTNA access proxy. An administrator changes the ZTNA rule's tag matching logic from Any to All, causing the
RDP session to be disconnected.
To configure the ZTNA rule in the GUI:
1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab.
2. Edit the TCP-forward-WIN2K16 rule.
3. In ZTNA Tag, add Low.
FortiOS 7.0.0 New Features Guide 447
Fortinet Inc.
Policy and Objects
4. Ensure that Match ZTNA Tags is set to Any.
5. Click OK.
To configure the ZTNA rule in the CLI:
config firewall proxy-policy
edit 4
set name "TCP-forward-WIN2K16"
set proxy access-proxy
set access-proxy "WIN2K16-P1-RDP"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS0000109188_AV-enabled" "FCTEMS0000109188_Low"
set ztna-tags-match-logic or
set action accept
set schedule "always"
set logtraffic all
next
end
To test the example:
1. On the remote Windows PC, disable antivirus protection.
2. Open an RDP session to connect to the RDP server at 192.168.20.6.
3. After a successful connection, on the FortiGate:
a. The endpoint is detected and marked with the Low tag, but not the AV-enabled tag:
# diagnose test application fcnacd 7
ZTNA Cache V2:
Entry #1:
-
UID: F4F3263AEBE54777A6509A8FCCDF9284
-
Domain:
-
User: keithli
-
Owner:
-
Certificate SN: 1626C2C10E6AD97D71FA9E2D9C314C1F5C03D68B
-
EMS SN: FCTEMS0000109188
-
online: true
-
Tags (2):
-- Tag (#0): all_registered_clients
-- Tag (#1): Low
lls_idx_mask = 0x00000001,
b. A session is created:
# diagnose sys session filter dst 192.168.2.86
# diagnose sys session filter src 10.10.10.25
# diagnose sys session list
session info: proto=6 proto_state=01 duration=29 expire=3598 timeout=3600
flags=00000000 socktype=0 sockport=1012 av_idx=0 use=3
origin-shaper=
reply-shaper=
FortiOS 7.0.0 New Features Guide 448
Fortinet Inc.
Policy and Objects
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log local may_dirty f24
statistic(bytes/packets/allow_err): org=54763/299/1 reply=90223/313/1 tuples=2
tx speed(Bps/kbps): 1860/14 rx speed(Bps/kbps): 3064/24
orgin->sink: org pre->in, reply out->post dev=3->7/7->3 gwy=192.168.2.86/0.0.0.0
hook=pre dir=org act=noop 10.10.10.25:55147->192.168.2.86:443(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.2.86:443->10.10.10.25:55147(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=08:5b:0e:ea:7f:d4
misc=7 policy_id=4 pol_uuid_idx=14853 auth_info=0 chk_client_info=0 vd=0
serial=00003255 tos=00/00 app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
c. The forward traffic log indicates that traffic is allowed:
# execute log filter category 0
# execute log display
...
1: date=2021-10-18 time=12:46:01 eventtime=1634586361077487880 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.10.10.25 srcport=55140 srcintf="port1" srcintfrole="wan"
dstcountry="Reserved" srccountry="Reserved" dstip=192.168.20.6 dstport=3389
dstintf="root" dstintfrole="undefined" sessionid=12542 srcuuid="5445be2e-5d7b-51ea-
e2c3-ae6b7855c52f" service="RDP" proto=6 action="accept" policyid=4
policytype="proxy-policy" poluuid="ce8f82d0-8fb3-51eb-0a17-5e6a6a51ff27"
policyname="TCP-forward-WIN2K16" duration=138 wanin=140349 rcvdbyte=140349
wanout=47118 lanin=48799 sentbyte=48799 lanout=142521 appcat="unscanned"
4. On the FortiGate, edit the ZTNA rule TCP-forward-WIN2K16:
l In the GUI, set Match ZTNA Tags to All.
l In the CLI, set ztna-tags-match-logic to and.
5. Due to the ZTNA rule update, the FortiGate re-verifies the session, and the RDP session is disconnected:
a. The previous session is removed:
# diagnose sys session filter dst 192.168.2.86
# diagnose sys session filter src 10.10.10.25
# diagnose sys session list
total session 0
b. The ZTNA log indicates that traffic is denied:
# execute log filter category 21
# execute log display
1: date=2021-10-18 time=12:53:57 eventtime=1634586837921889075 tz="-0700"
logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match"
level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-
policy" policyid=0 sessionid=13865 srcip=10.10.10.25 dstip=192.168.2.86 srcport=55162
dstport=443 srcintf="port1" srcintfrole="wan" dstintf="root" dstintfrole="undefined"
proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="WIN2K16-P1-RDP"
accessproxy="WIN2K16-P1-RDP" clientdeviceid="F4F3263AEBE54777A6509A8FCCDF9284"
clientdevicetags="MAC_FCTEMS0000109188_Low/FCTEMS0000109188_all_registered_
clients/MAC_FCTEMS0000109188_all_registered_clients/FCTEMS0000109188_Low"
FortiOS 7.0.0 New Features Guide 449
Fortinet Inc.
Policy and Objects
GUI support for multiple ZTNA features - 7.0.2
When configuring a ZTNA server, load balancing, TCP forwarding, and SAML can be configured in the GUI.
Load balancing
Load balancing can be configured when adding or editing a service or server mapping.
When adding a load balancing server:
l If the load balancing method is Weighted then the weight can be included.
l If the method is HTTP Host an HTTP host server domain name can be included in the HTTP header that is
forwarded to the real server.
TCP forwarding and SSH
TCP forwarding can be selected as the service when adding or editing a service or server mapping.
FortiOS 7.0.0 New Features Guide 450
Fortinet Inc.
Policy and Objects
Add servers from firewall addresses. Enable Enable Additional SSH Option to configure a client certificate and host key
validation.
A client certificate allows users to perform one-time user authentication to authenticate the SSH access proxy. See
ZTNA SSH access proxy example for details. Select a certificate from the drop-down list, or create a new one.
Host key validation allows the ZTNA proxy to validate the SSH server using the host key before forwarding traffic to it.
Click in the Host key field to add or create an SSH host key.
FortiOS 7.0.0 New Features Guide 451
Fortinet Inc.
Policy and Objects
SAML
SAML can be enabled when configuring a ZTNA server, and a SAML SSO server can be selected or created.
If the SAML SSO server does not have an authentication scheme or rule associated with it, warnings are shown.
Click Configure in each warning to add an authentication scheme and rule.
FortiOS 7.0.0 New Features Guide 452
Fortinet Inc.
Policy and Objects
Increase ZTNA and EMS tag limits - 7.0.4
The following limits have increased for EMS server, IP addresses, and MAC addresses in EMS and ZTNA tags:
l The maximum number of EMS servers a FortiGate can connect to increased from three to five.
l The maximum number of IP address an EMS tag can resolve increased from 1000 to over 100,000.
l The maximum number of MAC address an EMS tag can resolve increased from 1000 to 3000.
The following diagnose commands are available to verify address information:
# diagnose firewall fqdn <option>
Option Description
list-ip List IP FQDN information.
list-mac List MAC FQDN information.
list-all List FQDN information.
getinfo-ip Get information of IP FQDN address.
getinfo-mac Get information of MAC FQDN address.
get-ip Get and display one IP FQDN address.
get-mac Get and display one MAC FQDN address.
Sample diagnostics
# diagnose firewall fqdn list-ip
List all IP FQDN:
fqdn_u 0x16e55220 gmail.com: type:(1) ID(14) count(1) generation(2) data_len:13 flag: 1
ip list: (1 ip in total)
ip: 172.217.175.5
Total ip fqdn range blocks: 1.
Total ip fqdn addresses: 1.
# diagnose firewall fqdn list-mac
List all MAC FQDN:
arg 0x16e55220 mac_fctems8821001056_ems138_running_app_tag: type:(2) ID(258) count(0)
generation(0) data_len:0 flag: 0
Total mac fqdn addresses: 0.
FortiOS 7.0.0 New Features Guide 453
Fortinet Inc.
Policy and Objects
# diagnose firewall fqdn getinfo-ip fctems8821001322_zt_ems_mgmt
getinfo fctems8821001322_zt_ems_mgmt id:57 generation:9 count:2644 data_len:216682 flag 0
# diagnose firewall fqdn getinfo-mac mac_fctems8821001322_zt_ems_mgmt
getinfo mac_fctems8821001322_zt_ems_mgmt id:46 generation:15 count:3000 data_len:18000 flag
0
# diagnose firewall fqdn get-ip fctems8821001322_zt_ems_mgmt
fqdn_u 0x16e533f0 fctems8821001322_zt_ems_mgmt: type:(1) ID(57) count(2644) generation(12)
data_len:218594 flag: 0
ip list: (1 ip in total)
ip: 2.41.58.41
...
ip list: (3931 ip in total)
...
ip list: (1 ip in total)
ip: 255.148.7.86
ip list: (1 ip in total)
ip: 255.185.252.100
Total ip fqdn range blocks: 2644.
Total ip fqdn addresses: 6641.
# diagnose firewall fqdn get-mac mac_fctems8821001322_zt_ems_mgmt
arg 0x16e533f0 mac_fctems8821001322_zt_ems_mgmt: type:(2) ID(46) count(3000) generation(16)
data_len:18000 flag: 0
mac: af:**:**:**:**:**
mac: 63:**:**:**:**:**
mac: 50:**:**:**:**:**
mac: e3:**:**:**:**:**
mac: 2c:**:**:**:**:**
...
mac: 96:**:**:**:**:**
mac: 52:**:**:**:**:**
Total mac fqdn addresses: 3000.
Use FQDN with ZTNA TCP forwarding access proxy - 7.0.4
When defining ZTNA connection rules on FortiClient for TCP forwarding, it is sometimes desirable to configure the
destination host address as an FQDN address instead of an IP address. Since the real servers are often servers in the
corporate network, this layer of obfuscation prevents internal IPs from easily leaking to the public, and also makes the
destination more easily recognizable by the end users.
One obstacle to overcome is getting remote hosts to resolve an internal FQDN that is typically only resolvable by an
internal DNS in the corporate network. This can be solved with the following:
1. When an FQDN address is added as a destination host in a ZTNA connection rule, FortiClient creates a virtual IP for
this FQDN address and adds this to the computer’s host file (Windows). The same is true when a ZTNA connection
rule entry is pushed from EMS.
2. The virtual IP mapped to the FQDN address is not the real address of the server. It allows applications to resolve the
FQDN address to this virtual IP. FortiClient listens to any traffic destined for it and forwards the traffic using the TCP
forwarding URL with FQDN to the ZTNA access proxy.
3. The FortiGate access proxy will resolve the FQDN using the internal DNS on the corporate network, matching the
traffic to the ZTNA real server configuration with the same domain and address.
4. If a valid ZTNA real server entry is found, traffic is forwarded to the real server.
FortiOS 7.0.0 New Features Guide 454
Fortinet Inc.
Policy and Objects
Example
In this example, two servers in the internal network are added to the FortiGate access proxy for TCP forwarding. The
remote client configures two ZTNA connection rules, with the destination host field pointing to the FQDN addresses of
the internal servers. These FQDN addresses are configured in the FortiGate’s DNS database so they can be resolved by
the FortiGate. It is recommended to use an internal DNS server for production environments.
This example assumes that the FortiGate EMS Fabric connector is already successfully connected.
This features requires a minimum FortiClient and FortiClient EMS version of 7.0.3.
To configure the TCP forwarding access proxy:
1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Click Create New.
3. Set Name to ZTNA_S1.
4. Configure the network settings:
a. Set External interface to any.
b. Set External IP to 172.18.62.32.
c. Set External port to 443.
5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy
VIP.
6. Add server mapping:
a. In the Service/server mapping table, click Create New.
b. For Service, select TCP Forwarding.
c. Add a server:
i. In the Servers table, click Create New.
ii. Create a new FQDN address for the HTTPS server at s27.qa.fortinet.com, then click OK.
iii. Apply the new address object as the address for the new server.
iv. Click OK.
d. Add another server using the same steps for s29.qa.fortinet.com.
7. Click OK. Now that the ZTNA server is complete, the domain settings must be configured in the CLI to map domains
to the real servers.
FortiOS 7.0.0 New Features Guide 455
Fortinet Inc.
Policy and Objects
To map domains to the real servers:
config firewall access-proxy
edit "ZTNA_S1"
set vip "ZTNA_S1"
set client-cert enable
config api-gateway
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 4
set address "s27.qa.fortinet.com"
set domain "qa.fortinet.com"
next
edit 5
set address "s29.qa.fortinet.com"
set domain "qa.fortinet.com"
next
end
next
end
next
end
To configure the ZTNA rule:
1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Click Create New.
3. Set Name to ZTNA_TCP.
4. Set Incoming Interface to port2.
5. Set Source to all.
6. Select the ZTNA server ZTNA_S1.
7. Configure the remaining options as needed.
8. Click OK.
To configure the DNS entries for each server:
1. Enable the DNS database visibility:
a. Go to System > Feature Visibility.
b. Enable DNS Database.
c. Click Apply.
2. Go to Network > DNS Servers. Under DNS Database, click Create New.
3. Set DNS Zone to ZTNA.
4. Set Domain Name to qa.fortinet.com.
5. Add the DNS entries:
a. Under DNS Entries, click Create New.
b. Set Hostname to s27.
c. Set IP Address to the HTTPS server address.
FortiOS 7.0.0 New Features Guide 456
Fortinet Inc.
Policy and Objects
d. Click OK.
e. Add another DNS entry using the same steps for the s29.qa.fortinet.com HTTP server.
6. Click OK.
Testing the connection to the access proxy
Before connecting, users must have a ZTNA connection rule in FortiClient.
ZTNA TCP forwarding rules can be provisioned from the EMS server. See Provisioning ZTNA
TCP forwarding rules via EMS for more details.
To create the ZTNA rules in FortiClient and connect:
1. From the ZTNA Connection Rules tab, click Add Rule.
2. Create a rule for the HTTPS server:
a. Set Rule Name to server27.
b. Set Destination Host to s27.qa.fortinet.com:443.
c. Set Proxy Gateway to 172.18.62.32:443.
d. Disable Encryption.
e. Click Create.
3. Create a rule for the HTTP server:
a. Set Rule Name to server29.
b. Set Destination Host to s29.qa.fortinet.com:80.
c. Set Proxy Gateway to 172.18.62.32:443.
d. Disable Encryption.
e. Click Create.
4. Upon creating the ZTNA rules, two new entries are added to the Windows PC’s host file in folder
C:\Windows\System32\drivers\etc. View the file, and observe the new entries for the virtual IP and FQDN pairing for
each ZTNA connection rule.
# ----- FORTICLIENT ZTNA VIP START -----
10.235.0.1 s27.qa.fortinet.com
10.235.0.2 s29.qa.fortinet.com
# ----- FORTICLIENT ZTNA VIP END -----
5. The Windows PC now resolves the FQDNs to the virtual IPs, and FortiClient will listen to the traffic to these IPs and
forward them to the TCP access proxy.
6. Have the remote user connect to the HTTPS and HTTP servers on a browser. After device verification, the user is
able to successfully connect to the remote servers.
UTM scanning on TCP forwarding access proxy traffic - 7.0.4
UTM scanning and deep inspection is supported for multiple protocols in a ZTNA TCP forwarding access proxy. In
addition to HTTP and HTTPS, the mail protocols (SMTP, IMAP, and POP3) and file sharing protocols (SMB and CIFS)
FortiOS 7.0.0 New Features Guide 457
Fortinet Inc.
Policy and Objects
are supported.
Examples
This topology is used in the following four examples. For detailed instructions regarding configuring a TCP forwarding
access proxy (TFAP), ZTNA rules (proxy policy), and ZTNA connection rules (FortiClient), refer to ZTNA TCP forwarding
access proxy example in the FortiOS Administration Guide.
AV scanning for normal POP3, IMAP, and SMTP traffic
To configure AV scanning for normal POP3, IMAP, and SMTP traffic:
1. In FortiClient, add ZTNA connection rules for the email server IP and POP3, IMAP, and SMTP ports.
2. In FortiOS, configure the ZTNA TCP forwarding server to add the email server address and enable AV profile
scanning in the ZTNA rules.
3. On the client PC, open Outlook app and send emails with attachments containing virus affected files.
4. The ZTNA rule on the FortiGate blocks the email send/receive traffic and generates AV logs.
FortiOS 7.0.0 New Features Guide 458
Fortinet Inc.
Policy and Objects
Sample logs
4: date=2022-01-13 time=16:13:04 eventtime=1642119184944916750 tz="-0800" logid="0211008194"
type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1
poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header
detected to have a virus and blocked." action="attachment-removed" service="POP3"
sessionid=49481 srcip=10.1.100.44 dstip=172.16.200.55 srcport=62056 dstport=110
srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined"
dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb"
proto=6 direction="incoming" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa"
unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe"
quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine"
ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av"
from="[email protected]" to="[email protected]" recipient="testpc3"
subject="ZTNA av01" attachment="yes"
analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d"
analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
5: date=2022-01-13 time=15:32:46 eventtime=1642116766716926977 tz="-0800" logid="0211008194"
type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1
poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header
detected to have a virus and blocked." action="attachment-removed" service="IMAP"
sessionid=43017 srcip=10.1.100.44 dstip=172.16.200.55 srcport=61563 dstport=143
srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined"
dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb"
proto=6 direction="outgoing" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa"
unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe"
quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine"
ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av"
from="[email protected]" to="[email protected]" recipient="\"testpc3\""
subject="ZTNA av testing" attachment="yes"
analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d"
analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
6: date=2022-01-13 time=15:32:44 eventtime=1642116764260408431 tz="-0800" logid="0211008194"
type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1
poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header
detected to have a virus and blocked." action="blocked" service="SMTP" sessionid=43006
srcip=10.1.100.44 dstip=172.16.200.55 srcport=61559 dstport=25 srccountry="Reserved"
dstcountry="Reserved" srcintf="port21" srcintfrole="undefined" dstintf="vdom1"
dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb" proto=6
direction="outgoing" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa"
unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe"
quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine"
ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av"
from="[email protected]" to="[email protected]" sender="[email protected]"
recipient="[email protected]" subject="ZTNA av testing" attachment="yes"
analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d"
analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
FortiOS 7.0.0 New Features Guide 459
Fortinet Inc.
Policy and Objects
AV deep scanning for SSL encrypted POP3S, IMAPS, and SMTPS traffic
To configure AV deep scanning for SSL encrypted POP3S, IMAPS, and SMTPS traffic:
1. In FortiClient, add ZTNA connection rules for the email server IP and POP3S, IMAPS, and SMTPS ports.
2. In FortiOS, configure the ZTNA TCP forwarding server to add the email server address and enable AV profile
scanning in the ZTNA rules.
3. On the client PC, open Outlook app and send emails with attachments containing virus affected files.
4. The ZTNA rule on the FortiGate blocks the email send/receive traffic and generates AV logs.
Sample logs
1: date=2022-01-13 time=16:43:57 eventtime=1642121036970794477 tz="-0800" logid="0211008194"
type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1
poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header
detected to have a virus and blocked." action="attachment-removed" service="IMAPS"
sessionid=54283 srcip=10.1.100.44 dstip=172.16.200.55 srcport=62142 dstport=143
srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined"
dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb"
proto=6 direction="outgoing" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa"
unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe"
quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine"
ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av"
from="[email protected]" to="[email protected]" recipient="\"testpc3\""
subject="ZTNA ssl port av test" attachment="yes"
analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d"
analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
2: date=2022-01-13 time=16:43:54 eventtime=1642121034843926858 tz="-0800" logid="0211008194"
type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1
poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header
detected to have a virus and blocked." action="blocked" service="SMTPS" sessionid=54276
srcip=10.1.100.44 dstip=172.16.200.55 srcport=62140 dstport=25 srccountry="Reserved"
dstcountry="Reserved" srcintf="port21" srcintfrole="undefined" dstintf="vdom1"
dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb" proto=6
direction="outgoing" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa"
unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe"
quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine"
FortiOS 7.0.0 New Features Guide 460
Fortinet Inc.
Policy and Objects
ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av"
from="[email protected]" to="[email protected]" sender="[email protected]"
recipient="[email protected]" subject="ZTNA ssl port av test" attachment="yes"
analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d"
analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
3: date=2022-01-13 time=16:35:47 eventtime=1642120547940825448 tz="-0800" logid="0211008194"
type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1
poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header
detected to have a virus and blocked." action="attachment-removed" service="POP3S"
sessionid=52986 srcip=10.1.100.44 dstip=172.16.200.55 srcport=62114 dstport=995
srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined"
dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb"
proto=6 direction="incoming" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa"
unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.com"
quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine"
ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av"
from="[email protected]" to="[email protected]" recipient="testpc3"
subject="Hayder virus " attachment="yes"
analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
AV scanning for SMB service traffic
To configure AV scanning for SMB service traffic:
1. In FortiClient, add ZTNA connection rules for the SMB file sharing server IP and ports.
2. In FortiOS, configure the ZTNA TCP forwarding server to add the SMB server address and enable AV profile
scanning in the ZTNA rules.
3. On the client PC, upload and download virus affected files to and from the SMB server.
4. The ZTNA rule on the FortiGate blocks the email send/receive traffic and generates AV logs.
FortiOS 7.0.0 New Features Guide 461
Fortinet Inc.
Policy and Objects
Sample logs
1: date=2022-01-13 time=18:59:47 eventtime=1642129187739702864 tz="-0800" logid="0211008192"
type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1
poluuid="c6c33072-aa18-51eb-5fe7-cfc4055b0e7d" policytype="proxy-policy" msg="File is
infected." action="blocked" service="SMB" sessionid=403485 srcip=192.168.4.119
dstip=172.16.100.80 srcport=58569 dstport=445 srccountry="Reserved" dstcountry="Reserved"
srcintf="port4" srcintfrole="undefined" dstintf="root" dstintfrole="undefined"
srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" proto=6 direction="outgoing"
fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient"
filename="eicar.gz" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus"
dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172
profile="test-av"
analyticscksum="59ec794669c00c9de24539aa5f53ab2e61a63ff2517c1a7fa1f9ac2298678a77"
analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
2: date=2022-01-13 time=18:59:47 eventtime=1642129187713723634 tz="-0800" logid="0211008192"
type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1
poluuid="c6c33072-aa18-51eb-5fe7-cfc4055b0e7d" policytype="proxy-policy" msg="File is
infected." action="blocked" service="SMB" sessionid=403485 srcip=192.168.4.119
dstip=172.16.100.80 srcport=58569 dstport=445 srccountry="Reserved" dstcountry="Reserved"
srcintf="port4" srcintfrole="undefined" dstintf="root" dstintfrole="undefined"
srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" proto=6 direction="outgoing"
fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient"
filename="eicar.tar" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus"
dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172
profile="test-av"
analyticscksum="b3c821df29abc46336495d604903bb13a99ce750bc61fab14491af7682e9663e"
analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
File filter scanning for CIFS service traffic
To configure file filter scanning for CIFS service traffic:
1. In FortiClient, add ZTNA connection rules for the CIFS server IP and port.
2. In FortiOS, configure the ZTNA TCP forwarding server to add the CIFA server address and enable file filter profile
scanning in the ZTNA rules.
3. On the client PC, upload and download predefined file types (such as .EXE) to and from the CIFS server.
4. The ZTNA rule on the FortiGate blocks the email send/receive traffic and generates AV logs.
Sample logs
1: date=2022-01-13 time=18:23:40 eventtime=1642127020332998536 tz="-0800" logid="1900064000"
type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root"
policyid=1 poluuid="c6c33072-aa18-51eb-5fe7-cfc4055b0e7d" policytype="proxy-policy"
sessionid=395500 srcip=192.168.4.119 srcport=58456 srccountry="Reserved" srcintf="port4"
srcintfrole="undefined" srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" dstip=172.16.100.80
dstport=445 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=6
service="CIFS" profile="test_file_filter" direction="outgoing" action="blocked"
filtername="file01" sharename="\\\\172.16.100.80\\Swap-1day" pathname="fhou"
filename="winrar-x64-601.exe" filesize=524288 filetype="exe" msg="File was blocked by file
filter." fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa"
unauthusersource="forticlient"
FortiOS 7.0.0 New Features Guide 462
Fortinet Inc.
Policy and Objects
2: date=2022-01-13 time=18:23:01 eventtime=1642126981266143580 tz="-0800" logid="1900064001"
type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="root" policyid=1
poluuid="c6c33072-aa18-51eb-5fe7-cfc4055b0e7d" policytype="proxy-policy" sessionid=395500
srcip=192.168.4.119 srcport=58456 srccountry="Reserved" srcintf="port4"
srcintfrole="undefined" srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" dstip=172.16.100.80
dstport=445 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=6
service="CIFS" profile="test_file_filter" direction="incoming" action="passthrough"
filtername="file01" sharename="\\\\172.16.100.80\\Swap-1day" pathname="fhou"
filename="winrar-x64-601.exe" filesize=32768 filetype="exe" msg="File was detected by file
filter." fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa"
unauthusersource="forticlient"
Connect a ZTNA access proxy to an SSL VPN web portal - 7.0.4
SSL VPN web portals can be defined in ZTNA access proxy settings. The ZTNA access proxy handles the access
control processes (client certificate authentication, posture check, user authentication and authorization), and
establishes the HTTPS connection between the end user and the access proxy. Then, it forwards the user to the web
portal where they can use predefined bookmarks to access TCP based services like HTTPS, RDP, VNC, FTP, SFTP,
SSH, Telnet, and SMB. Existing SSL VPN portal configurations can be used.
The web portal service can only be configured in the CLI.
Example
In this example, a remote client connects to the ZTNA access proxy and completes the client certificate check. If
successful, the remaining access control procedures are automatically completed, and the user is forwarded to the web
portal. The web portal is configured with predefined bookmarks that connect to internal servers and external websites.
The user can access any resource that is defined in the bookmarks to create an end-to-end connection.
To configure the SSL VPN web portal:
1. Go to VPN > SSL-VPN Portals and click Create New.
2. Enter the name, test_ssl.
FortiOS 7.0.0 New Features Guide 463
Fortinet Inc.
Policy and Objects
3. Disable Tunnel Mode.
4. Enable Web Mode.
5. Create the bookmarks:
a. Under Predefined Bookmarks, click Create New.
b. Enter the name of the service.
c. Select the service Type.
d. Enter the URL to access the service.
e. Click OK.
f. Repeat these steps to create other bookmarks.
6. Click OK.
To configure the ZTNA access proxy:
1. Configure a VIP for the ZTNA access proxy. The ssl-certificate can be replaced with a server certificate:
config firewall vip
edit "ztna_webportal"
set type access-proxy
set extip 172.18.62.68
set extintf "any"
set server-type https
set extport 4443
set ssl-certificate "*.test.com"
next
end
2. Configure the virtual host to be used to connect to the ZTNA access proxy. The host should resolve to the VIP’s
address:
config firewall access-proxy-virtual-host
edit "webportal"
set ssl-certificate "*.test.com"
set host "web.test.com"
next
end
3. Configure the ZTNA access proxy to be in web portal mode:
config firewall access-proxy
edit "ztna_webportal"
set vip "ztna_webportal"
set client-cert enable
config api-gateway
edit 1
set url-map "/webportal"
set service web-portal
set virtual-host "webportal"
set ssl-vpn-web-portal "test_ssl"
next
end
next
end
FortiOS 7.0.0 New Features Guide 464
Fortinet Inc.
Policy and Objects
4. Apply the access proxy to a proxy policy (specify the ZTNA tags as needed):
config firewall proxy-policy
edit 1
set name "ztna_rule"
set proxy access-proxy
set access-proxy "ztna_webportal"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS8821000000_High"
set action accept
set schedule "always"
set logtraffic all
set srcaddr6 "all"
set dstaddr6 "all"
set utm-status enable
set profile-type group
set profile-group "profile group1"
set logtraffic-start enable
next
end
The SSL VPN bookmarks are learned by the WAD daemon and are ready to use.
5. Verify the bookmarks:
# diagnose test app wad 351
[bookmark: (portal/group/name=test_ssl/gui-bookmarks/2nd HTTP)]:
type :1
url :http://httpbin.org
host :
folder:
domain:
port :0
[bookmark: (portal/group/name=test_ssl/gui-bookmarks/FTP)]:
type :4
url :
host :
folder:172.16.200.215
domain:
port :0
[bookmark: (portal/group/name=test_ssl/gui-bookmarks/HTTPS-fortinet)]:
type :1
url :https://www.fortinet.com
host :
folder:
domain:
port :0
[bookmark: (portal/group/name=test_ssl/gui-bookmarks/RDP)]:
type :9
url :
host :172.18.62.213
folder:
domain:
port :3389
…
FortiOS 7.0.0 New Features Guide 465
Fortinet Inc.
Policy and Objects
To test the connection:
1. From the client browser, go to https://web.test.com:4443/webportal to access the ZTNA access proxy web portal.
2. Once the client passes the certificate check, posture check, and access is granted, the user is redirected to the web
portal. The list of predefined bookmarks appears.
FortiOS 7.0.0 New Features Guide 466
Fortinet Inc.
Policy and Objects
3. Click a bookmark, such as HTTPS-fortinet. The website opens.
4. From the web portal, click another bookmark, such as SSH. The page opens with the credential login screen to
access the server.
ZTNA FortiView and log enhancements - 7.0.4
The following ZTNA enhancements have been made to FortiView and the log view.
l Add FortiView ZTNA Servers monitor, which includes options to drill down by Sources, Rules, Real Servers, and
Sessions.
l Add context menu shortcuts on the ZTNA Rules and ZTNA Servers tabs to redirect to the FortiView and log view
pages.
FortiOS 7.0.0 New Features Guide 467
Fortinet Inc.
Policy and Objects
l Replace Log & Report > ZTNA page with Log & Report > ZTNA Traffic page. ZTNA logs now have a traffic type and
ZTNA subtype.
l Add fields to ZTNA traffic logs (accessproxy, vip, gatewayid, clientdevicetags, clientdeviceid, and
clientdeviceowner).
To add the ZTNA server monitor:
1. Go to Dashboard > Status and click Add Monitor (+).
2. In the FortiView section, click the + beside FortiView ZTNA Servers.
3. Click Add Monitor. The monitor is added to the tree menu.
To access the ZTNA related monitors and logs using shortcuts:
1. Go to Policy & Objects > ZTNA and select the ZTNA Rules or ZTNA Servers tab.
2. Select an entry in the table.
3. Right-click and select Show in FortiView or Show Matching Logs.
Redirect from ZTNA Rules tab to FortiView monitor (drilled down to Rules view):
Redirect to matched logs:
Redirect from ZTNA Servers tab to FortiView monitor (drilled down to Sources view):
FortiOS 7.0.0 New Features Guide 468
Fortinet Inc.
Policy and Objects
Redirect to matched logs:
Sample log
3: date=2022-01-17 time=09:38:20 eventtime=1642441100579101836 tz="-0800" logid="0005000024"
type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.4.119 srcname="DESKTOP-
TDD7MND" srcport=55894 srcintf="port4" srcintfrole="undefined" dstcountry="Reserved"
srccountry="Reserved" dstip=172.18.62.32 dstport=443 dstintf="root" dstintfrole="undefined"
sessionid=580548 service="HTTPS" proto=6 action="deny" policyid=0 policytype="proxy-policy"
duration=26 gatewayid=2 vip="ZTNA_S1" accessproxy="ZTNA_S1"
clientdeviceid="C7F3ACD19E174AADBB96B2DCF3B75D52" clientdeviceowner="Release_QA"
clientdevicetags="FCTEMS8821000000_all_registered_clients/MAC_FCTEMS8821000000_all_
registered_clients/MAC_FCTEMS8821000000_ems140_management_tag" msg="Denied: failed to match
a proxy-policy" wanin=0 rcvdbyte=0 wanout=0 lanin=3120 sentbyte=3120 lanout=7196
fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient"
appcat="unscanned" crscore=30 craction=131072 crlevel="high"
ZTNA session-based form authentication - 7.0.4
Session-based form authentication for ZTNA allows users to log in through an authentication portal with support for
multi-factor authentication (MFA). This added advantage over the basic type authentication method allows FortiToken
FortiOS 7.0.0 New Features Guide 469
Fortinet Inc.
Policy and Objects
MFA to be applied directly to FortiGate users. FortiToken MFA can be applied to local users or remote users. Session-
based form authentication can also be applied to explicit and transparent web proxies.
Example
In this example, the FortiGate is configured with a ZTNA HTTPS access proxy to protect access to the web server. It
uses session-based form authentication with cookies and auth-portal enabled. It connects to the internal Windows
Active Directory using LDAPS for user authentication, and assigns FortiToken MFA to individual users.
This example assumes that the FortiGate EMS Fabric connector is already successfully connected.
To configure the LDAP server:
1. Go to User & Authentication > LDAP Servers and click Create New.
2. Configure the following settings:
Name LDAP-fortiad
Server IP/Name 10.88.0.1
Server Port 389
Common Name Identifier sAMAccountName
Distinguished Name dc=fortiad,dc=info
Exchange server Disable this setting.
Bind Type Regular
Enter the Username and Password for LDAP binding and lookup.
Secure Connection Enable and set the Protocol to LDAPS.
Certificate Enable and select the CA certificate to validate the server certificate.
Server identity check Optionally, enable to verify the domain name or IP address against the server
certificate.
3. Click Test Connectivity to verify the connection to the server.
4. Click OK.
FortiOS 7.0.0 New Features Guide 470
Fortinet Inc.
Policy and Objects
To configure a user with FortiToken MFA:
1. Go to User & Authentication > User Definition and click Create New.
2. Set User Type to Remote LDAP User and click Next.
3. Set LDAP Server to LDAP-fortiad and click Next.
4. For Remote Users, right-click on a user from the list under the corresponding OU and click Add Selected. In this
example, the user tsmith under the Marketing OU is selected.
5. Click Submit.
6. Double-click the new user, tsmith, to edit the settings.
7. Enable Two-factor Authentication. Select either FortiToken Cloud or FortiToken. In this example, FortiToken is
selected with a mobile FortiToken available on this FortiGate.
8. Enter an Email Address for the user to get a token activation notification.
9. Click OK.
To configure a user group:
1. Go to User & Authentication > User Groups and click Create New.
2. Enter the name of the group, FortiAD-MFA-group.
3. Set Type to Firewall.
4. Click the +in the Members field and add the user, tsmith.
5. Click OK.
To configure the authentication scheme:
1. Go to Policy & Objects > Authentication Rules and click Create New > Authentication Scheme.
2. Enter the name, ZTNA-Auth-scheme.
3. Set Method to Form-based.
4. Set User database to Other and select the LDAP-fortiad LDAP server.
5. Enable Two-factor authentication.
6. Click OK.
To configure the authentication rule:
config authentication rule
edit "ztna_form_rule"
set srcaddr "all"
set ip-based disable
set active-auth-method "ZTNA-Auth-scheme"
set web-auth-cookie enable
next
end
By disabling ip-based, the rule is session-based, so web authentication cookies must be
enabled.
FortiOS 7.0.0 New Features Guide 471
Fortinet Inc.
Policy and Objects
To configure the ZTNA basic server settings in the GUI:
Configuring the ZTNA server requires some settings that can only be configured in the CLI. The basic settings are
configured in the GUI first, then the advanced CLI-only configurations are added after.
1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Click Create New.
3. Enter the server name, ZTNA_S1.
4. Configure the network settings:
a. Set External interface to port3.
b. Set External IP to 10.0.3.10.
c. Set External port to 9443.
5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy
VIP. In this example, the custom certificate, ztna-wildcard is selected.
6. Add server mapping:
a. In the Service/server mapping table, click Create New.
b. Set Service to HTTPS.
c. Set Virtual Host to Any Host.
d. Configure the path as needed.
e. Add a server:
i. In the Servers table, click Create New.
ii. Set IP to 10.88.0.3.
iii. Set Port to 9443.
iv. Click OK to complete the server settings.
f. Click OK to complete the HTTPS service mapping.
7. Click OK.
To configure the advanced authentication settings in the CLI:
The following steps are required to create a virtual host and to enable the authentication portal.
1. Create an access proxy virtual host that points to the ZTNA access proxy. The FQDN of the host must be able to
resolve to the external address 10.0.3.10. The client will be redirected to this page for form authentication:
config firewall access-proxy-virtual-host
edit "auth-portal-vhost"
set ssl-certificate "ztna-wildcard"
set host "authportal.ztnademo.com"
next
end
2. Enable auth-portal on the access proxy and point it to the virtual host:
config firewall access-proxy
edit "ZTNA_S1"
set auth-portal enable
set auth-virtual-host "auth-portal-vhost"
next
end
FortiOS 7.0.0 New Features Guide 472
Fortinet Inc.
Policy and Objects
When auth-virtual-host is configured in the access proxy, it acts as a single sign-on
(SSO) point. This means users will be authenticated once when accessing any domains or
services in ZTNA_S1.
When auth-virtual-host is not configured, users will be re-authenticated for each
domain or service in ZTNA_S1.
To apply the authentication to the ZTNA rule:
1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Click Create New.
3. Enter the name, ZTNA_R1.
4. Set Incoming Interface to port3.
5. Set Source to all. This can also be set to specific IP addresses to only allow those addresses to connect to this
HTTPS access proxy.
6. Click the + in the Source and from the User tab, select the FortiAD-MFA-group user group.
7. Click the + in the ZTNA Tag field and select the Low tag.
8. Set ZTNA Server to ZTNA_S1.
9. Set Destination to Webserver1, which is an address object for 10.88.0.3/32.
10. Configure the remaining options as needed.
11. Click OK.
Testing the connection
To test the remote access to the HTTPS access proxy with user authentication:
1. On the remote Windows PC, open FortiClient.
2. From the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
3. Open a browser and enter the address or FQDN of the server and the access port. In this example,
https://webserver.ztnademo.com:9443 resolves to https://10.0.3.10:9443.
4. The browser prompts for the client certificate to use. Select the EMS signed certificate, then click OK.
5. The client is verified by the FortiGate to authenticate your identity.
6. Form authentication redirects you to the captive portal defined by the auth-virtual-host,
authportal.ztnademo.com:9443. Enter your user credentials and FortiToken code.
FortiOS 7.0.0 New Features Guide 473
Fortinet Inc.
Policy and Objects
7. After the user authentication passes, the FortiGate performs a posture check on the endpoint. When the posture
check passes, you are allowed access to the website.
To verify the logs:
1. Verify the logged in users in the WAD daemon:
# diagnose wad user list
ID: 2, VDOM: root, IPv4: 10.0.3.2
FortiOS 7.0.0 New Features Guide 474
Fortinet Inc.
Policy and Objects
user name : tsmith
worker : 1
duration : 42
auth_type : Session
auth_method : Form
pol_id : 1
g_id : 4
user_based : 0
expire : no
LAN:
bytes_in=5117 bytes_out=302717
WAN:
bytes_in=304915 bytes_out=4407
2. Verify the endpoint information:
# diagnose endpoint record list
Record #1:
IP Address = 10.0.3.2
MAC Address = 02:09:0f:00:03:03
MAC list = 02:09:0f:00:04:03;02:09:0f:00:03:03;
VDOM = (-1)
EMS serial number: FCTEMS8822000000
Client cert SN: 5BDEE2D7B7FCA460D9CEC67BBF4D1FA33E3D281A
Public IP address: 67.249.72.215
Quarantined: no
Online status: online
Registration status: registered
On-net status: on-net
Gateway Interface:
FortiClient version: 7.0.2
AVDB version: 1.0
FortiClient app signature version: 13.364
FortiClient vulnerability scan engine version: 2.31
FortiClient UID: 9A016B5A6E914B42AD4168C066EB04CA
Host Name: WIN10-01
OS Type: WIN64
OS Version: Microsoft Windows 10 Professional Edition, 64-bit (build
19042) (version 2009)
Host Description:
Domain: fortiad.info
Last Login User: tsmith
…
Number of Routes: (0)
online records: 1; offline records: 0; quarantined records: 0
3. Verify the detected tags on the endpoint:
# diagnose test app fcnacd 7
ZTNA Cache V2:
Entry #1:
- UID: 9A016B5A6E914B42AD4168C066EB04CA
- EMS SN: FCTEMS88220010000
- Domain: fortiad.info
- User: tsmith
- Owner:
- Certificate SN: 5BDEE2D7B7FCA460D9CEC67BBF4D1FA33E3D281A
FortiOS 7.0.0 New Features Guide 475
Fortinet Inc.
Policy and Objects
- online: true
- Tags (2):
-- Tag (#0): all_registered_clients
-- Tag (#1): Low
lls_idx_mask = 0x00000001,
4. Verify the ZTNA logs.
l In the GUI, go to Log & Report > ZTNA Traffic.
l In the CLI:
# execute log filter category 0
# execute log filter field subtype ztna
# execute log display
17 logs found.
10 logs returned.
1: date=2022-05-19 time=13:04:41 eventtime=1652990680922903215 tz="-0700"
logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root"
srcip=10.0.3.2 srcport=63111 srcintf="port3" srcintfrole="wan" dstcountry="Reserved"
srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="root"
dstintfrole="undefined" sessionid=8313 service="tcp/9443" proto=6 action="accept"
policyid=1 policytype="proxy-policy" poluuid="b513a216-d7a9-51ec-7965-6ba166e99004"
policyname="ZTNA_R1" duration=66 user="tsmith" group="FortiAD-MFA-group" gatewayid=1
vip="ZTNA_S1" accessproxy="ZTNA_S1" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA"
clientdevicetags="MAC_FCTEMS8822000000_Low/FCTEMS8822000000_all_registered_
clients/MAC_FCTEMS8822000000_all_registered_clients" wanin=303042 rcvdbyte=303042
wanout=3925 lanin=4430 sentbyte=4430 lanout=301660
fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"
Using the IP pool or client IP address in a ZTNA connection to backend servers -
7.0.6
By default, the connection from the ZTNA access proxy to the backend servers uses the IP address of the outgoing
interface as the source. This enhancement enables customers to use an IP pool as the source IP address, or use the
client's original IP address as the source IP address. This allows ZTNA to support more sessions without source port
conflicts.
For more information about this feature, see Using the IP pool or client IP in a ZTNA connection to backend servers.
NGFW
This section includes information about NGFW policy mode related new features:
l Filters for application control groups in NGFW mode on page 476
Filters for application control groups in NGFW mode
When defining application groups in NGFW policy mode, the following group filters are now available: protocols, risk,
vendor, technology, behavior, popularity, and category.
FortiOS 7.0.0 New Features Guide 476
Fortinet Inc.
Policy and Objects
config application group
edit <name>
set type filter
set protocols <integer>
set risk <integer>
set vendor <id>
set technology <id>
set behavior <id>
set popularity <integer>
set category <id>
next
end
protocols <integer> Application protocol filter (0 - 47, or all).
risk <integer> Risk or impact of allowing traffic from this application to occur (1 - 5; low (1),
elevated (2), medium (3), high (4), and critical (5)).
vendor <id> Application vendor filter (0 - 25, or all).
technology <id> Application technology filter:
l all
l 0 (network-protocol)
l 1 (browser-based)
l 2 (client-server)
l 4 (peer-to-peer)
behavior <id> Application behavior filter:
l all
l 2 (botnet)
l 3 (evasive)
l 5 (excessive bandwidth)
l 6 (tunneling)
l 9 (cloud)
popularity <integer> Application popularity filter (1 - 5, from least to most popular).
category <id> Application category filter:
l 2 (P2P)
l 3 (VoIP)
l 5 (video/audio)
l 6 (proxy)
l 7 (remote access)
l 8 (game)
l 12 (general interest)
l 15 (network service)
l 17 (update)
l 21 (email)
l 22 (storage backup)
l 23 (social media)
l 25 (web client)
FortiOS 7.0.0 New Features Guide 477
Fortinet Inc.
Policy and Objects
l 26 (industrial)
l 28 (collaboration)
l 29 (business)
l 30 (cloud IT)
l 31 (mobile)
l 32 (unknown applications)
Sample configurations
In this example, a single filter (risk level 1) is configured in the application group, so only signatures matching this filter
will match the security policy.
To configure the application group:
config application group
edit "risk_1"
set type filter
set risk 1
next
end
To configure the security policy:
config firewall security-policy
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set enforce-default-app-port disable
set service "ALL"
set app-group risk_1
set logtraffic all
next
end
In this example, the application group is configured so that only signatures matching both filters, category 5 (video/audio)
and technology 1 (browser-based), will match the security policy. The application group can also be configured in a
traffic shaping policy.
To configure the application group:
config application group
edit "two"
set type filter
set category 5
set technology 1
next
end
FortiOS 7.0.0 New Features Guide 478
Fortinet Inc.
Policy and Objects
To configure the security policy:
config firewall security-policy
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set enforce-default-app-port disable
set service "ALL"
set app-group two
set logtraffic all
next
end
To configure the traffic shaping policy:
config firewall shaping-policy
edit 1
set ip-version 4
set service "ALL"
set app-group two
set dstintf port1
set traffic-shaper "max-100"
set traffic-shaper-reverse "max-100"
set srcaddr "all"
set dstaddr "all"
next
end
Policies
This section includes information about policy related new features:
l DNS health check monitor for server load balancing on page 479
l Carrier-grade NAT on page 481
l Allow multiple virtual wire pairs in a virtual wire pair policy on page 483
l Simplify NAT46 and NAT64 policy and routing configurations 7.0.1 on page 486
l Cisco Security Group Tag as policy matching criteria 7.0.1 on page 497
DNS health check monitor for server load balancing
A DNS health check monitor can be configured for server load balancing. The monitor uses TCP or UDP DNS as the
probes. The request domain is matched against the configured IP address to verify the response.
The DNS health check monitor does not support IPv6.
FortiOS 7.0.0 New Features Guide 479
Fortinet Inc.
Policy and Objects
To create a DNS health check monitor:
config firewall ldb-monitor
edit <name>
set type dns
set port <string>
set dns-protocol {udp | tcp}
set dns-request-domain <string>
set dns-match-ip <class_ip>
next
end
type The monitor type that is used by the health check monitor to check the health of
the server.
port <string> The service port that is used to perform the health check (0 - 65635, default = 0). If
type is set to dns, port is set to 53.
dns-protocol {udp | tcp} The protocol used by the DNS health check monitor to check the health of the
server (default = udp).
dns-request-domain The fully qualified domain name to resolve for the DNS probe (default =
<string> www.example.com).
dns-match-ip <class_ip> The response IP address expected from the DNS server (default =
Example
In this example, a DNS health check monitor is created and used in a VIP.
The FortiGate sends the DNS request on UDP port 53 to the configured real servers every 30 seconds. If the DNS
response from a real server matches the DNS match IP address, then the real server is marked as Active. Otherwise, it
is marked as Down.
To configure the health check monitor:
1. Create a new DNS health check monitor:
config firewall ldb-monitor
edit "dns-monitor-1"
set type dns
set interval 30
set port 53
set src-ip 172.16.200.10
set dns-request-domain "pc4.qa.fortinet.com"
set dns-match-ip 172.16.200.44
next
end
2. Apply the monitor to a virtual server:
config firewall vip
edit "test-vs-ip-1"
set type server-load-balance
set extip 10.1.100.153
set extintf "wan2"
FortiOS 7.0.0 New Features Guide 480
Fortinet Inc.
Policy and Objects
set server-type ip
set monitor "dns-monitor-1"
set ldb-method round-robin
config realservers
edit 1
set ip 172.16.200.44
next
edit 2
set ip 172.16.200.55
next
end
next
end
Carrier-grade NAT
Users can control concurrent TCP/UDP connections through a connection quota in the per-IP shaper, and can control
the port quota in the fixed port range IP pool.
config firewall shaper per-ip-shaper
edit <name>
set max-concurrent-tcp-session <integer>
set max-concurrent-udp-session <integer>
next
end
max-concurrent-tcp- Maximum number of concurrent TCP sessions allowed by this shaper (0 -
session <integer> 2097000, 0 = no limit).
max-concurrent-udp- Maximum number of concurrent UDP sessions allowed by this shaper (0 -
session <integer> 2097000, 0 = no limit).
config firewall ippool
edit <name>
set type fixed-port-range
set port-per-user <integer>
next
end
set port-per-user Number of ports for each user (32 - 60416, 0 = default).
<integer>
To configure a connection quota in the GUI:
1. Go to Policy & Objects > Traffic Shaping, select the Traffic Shapers tab, and click Create New.
2. For Type, select Per IP Shaper.
3. Enable Max concurrent TCP connections and enter a value.
FortiOS 7.0.0 New Features Guide 481
Fortinet Inc.
Policy and Objects
4. Enable Max concurrent UDP connections and enter a value.
5. Configure the other settings as needed.
6. Click OK.
To configure a connection quota in the CLI:
config firewall shaper per-ip-shaper
edit "per-ip-shaper256kbps"
set max-bandwidth 256
set max-concurrent-session 10
set max-concurrent-tcp-session 5
set max-concurrent-udp-session 5
next
end
To configure a port quota in the GUI:
1. Go to Policy & Objects > IP Pools and click Create New.
2. For Type, select Fixed Port Range.
3. Enter the external and internal IP ranges.
4. Enable Ports Per User and enter a value.
FortiOS 7.0.0 New Features Guide 482
Fortinet Inc.
Policy and Objects
5. Configure the other settings as needed.
6. Click OK.
To configure a port quota in the GUI:
config firewall ippool
edit "test-ippool-fpr-1"
set type fixed-port-range
set startip 172.16.200.125
set endip 172.16.200.125
set source-startip 10.1.100.41
set source-endip 10.1.100.42
set port-per-user 30208
next
end
To verify the fixed range IP pool:
# diagnose firewall ippool-fixed-range list natip 172.16.200.125
ippool name=test-ippool-fpr-1, ip shared num=2, port num=30208
internal ip=10.1.100.41, nat ip=172.16.200.125, range=5117~35324
internal ip=10.1.100.42, nat ip=172.16.200.125, range=35325~65532
To verify the SNAT behavior when the IP pool is used in a policy:
# diagnose sniffer packet any 'host 172.16.200.55'
Using Original Sniffing Mode
interfaces=[any]
filters=[host 172.16.200.55]
32.204955 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: syn 797929945
32.205027 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: syn 797929945
32.205328 wan1 in 172.16.200.55.80 -> 172.16.200.125.51209: syn 4191137758 ack 797929946
32.205568 wan2 out 172.16.200.55.80 -> 10.1.100.42.21001: syn 4191137758 ack 797929946
32.205766 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: ack 4191137759
32.205770 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: ack 4191137759
Allow multiple virtual wire pairs in a virtual wire pair policy
This enhancement allows users to create a virtual wire pair policy that includes different virtual wire pairs (VWPs). This
reduces overhead to create multiple similar policies for each VWP. This feature is supported in NGFW profile and policy
mode. In NGFW policy mode, multiple VWPs can be configured in a Security Virtual Wire Pair Policy, and Virtual Wire
Pair SSL Inspection & Authentication policy.
The VWP settings must have wildcard VLAN enabled. When configuring a policy in the CLI, the VWP members must be
entered in srcintf and dstintf as pairs.
On the Firewall Virtual Wire Pair Policy, Security Virtual Wire Pair Policy, and Virtual Wire Pair SSL Inspection &
Authentication pages, there is a dropdown option to view policies with an individual VWP or all VWPs.
If All VWPs is selected, the Interface Pair View is disabled. The list displays all policies with an individual VWP or multiple
VWPs.
FortiOS 7.0.0 New Features Guide 483
Fortinet Inc.
Policy and Objects
If an individual VWP is selected, the Interface Pair View is disabled if at least one policy has other VWP members. The
list displays all policies with the selected VWP (the policy may have members of other VWPs).
To configure multiple VWPs in a policy in the GUI:
1. Configure the VWPs:
a. Go to Network > Interfaces and click Create New > Virtual Wire Pair.
b. Create a pair with the following settings:
Name test-vwp-1
Interface members wan1, wan2
Wildcard VLAN Enable
c. Click OK.
d. Click Create New > Virtual Wire Pair and create another pair with the following settings:
Name test-vwp-2
Interface members port19, port20
Wildcard VLAN Enable
e. Click OK.
2. Configure the policy:
a. Go to Policy & Objects > Firewall Virtual Wire Pair Policy and click Create New.
b. In the Virtual Wire Pair field, click the + to add test-vwp-1 and test-vwp-2. Arrow buttons appear below the
entries to set the direction for each of the selected virtual wire pairs.
FortiOS 7.0.0 New Features Guide 484
Fortinet Inc.
Policy and Objects
c. Configure the other settings as needed.
d. Click OK.
To configure multiple VWPs in a policy in the CLI:
1. Configure the VWPs:
config system virtual-wire-pair
edit "test-vwp-1"
set member "wan1" "wan2"
set wildcard-vlan enable
next
edit "test-vwp-2"
set member "port19" "port20"
set wildcard-vlan enable
next
end
2. Configure the policy:
config firewall policy
edit 1
set name "vwp1&2-policy"
set srcintf "port19" "wan1"
set dstintf "port20" "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
FortiOS 7.0.0 New Features Guide 485
Fortinet Inc.
Policy and Objects
Simplify NAT46 and NAT64 policy and routing configurations - 7.0.1
Multiple NAT46 and NAT64 related objects are consolidated into regular objects. A new per-VDOM virtual interface,
naf.<vdom>, is automatically added to process NAT46/NAT64 traffic. The new changes and additions include:
l Consolidate vip46 and vip64 setting into vip and vip6 configurations.
l Consolidate policy46 and policy64 settings into firewall policy settings.
l Introduce nat46/nat64 in firewall policy settings.
l Extend ippool and ippool6 to support NAT46 and NAT64 (when enabled, the IP pool should match a subnet).
l Extend central SNAT to support NAT46 and NAT64.
l Remove firewall vip46/vip64, vipgrp46/vipgrp64, and policy46/policy64 settings and GUI pages.
l Rename system.nat64 to system.dns64.
l Add option for add-nat46-route in ippool6 and add-nat64-route in ippool, which are enabled by default.
The FortiGate will generate a static route that matches the IP range in ippool6 or ippool for the naf tunnel
interface.
Automatic processing of the naf tunnel interface is not supported in security policies.
To configure NAT46/NAT64 translation, use the standard vip/vip6 setting, apply it in a firewall policy, enable
NAT46/NAT64, and enter the IP pool to complete the configuration.
The external IP address cannot be the same as the external interface IP address.
Examples
IPv6 must be enabled to configure these examples. In the GUI, so go to System > Feature Visibility and enable IPv6. In
the CLI, enter the following:
config system global
set gui-ipv6 enable
end
NAT46 policy
In this example, a client PC is using IPv4 and an IPv4 VIP to access a server that is using IPv6. The FortiGate uses
NAT46 to translate the request from IPv4 to IPv6 using the virtual interface naf.root. An ippool6 is applied so that the
request is SNATed to the ippool6 address (2000:172:16:101::1 - 2000:172:16:101::1).
FortiOS 7.0.0 New Features Guide 486
Fortinet Inc.
Policy and Objects
To create a NAT46 policy in the GUI:
1. Configure the VIP:
a. Go to Policy & Objects > Virtual IPs and click Create New > VIP.
b. Enter the following:
VIP type IPv4
Name test-vip46-1
Interface To_vlan20
Type Static NAT
External IP address/range 10.1.100.150
Map to IPv6 address/range 2000:172:16:200::156
c. Click OK.
2. Configure the IPv6 pool:
a. Go to Policy & Objects > IP Pools and click Create New.
b. Enter the following:
IP Pool Type IPv6 Pool
Name test-ippool6-1
FortiOS 7.0.0 New Features Guide 487
Fortinet Inc.
Policy and Objects
External IP address/range 2000:172:16:101::1-2000:172:16:101::1
NAT46 Enable
c. Click OK.
3. Configure the firewall policy:
a. Go to Policy & Objects > Firewall Policy and click Create New or edit an existing policy.
b. Enter the following:
Name policy46-1
Incoming Interface To_vlan20
Outgoing Interface To_vlan30
Source all
Destination test-vip46-1
Schedule always
Service ALL
Action ACCEPT
NAT NAT46
IP Pool Configuration test-ippool6-1
FortiOS 7.0.0 New Features Guide 488
Fortinet Inc.
Policy and Objects
c. Configure the other settings as needed.
d. Click OK.
To create a NAT46 policy in the CLI:
1. Configure the VIP:
config firewall vip
edit "test-vip46-1"
set extip 10.1.100.150
set nat44 disable
set nat46 enable
set extintf "port24"
set arp-reply enable
set ipv6-mappedip 2000:172:16:200::156
next
end
2. Configure the IPv6 pool:
config firewall ippool6
edit "test-ippool6-1"
set startip 2000:172:16:101::1
set endip 2000:172:16:101::1
set nat46 enable
set add-nat46-route enable
next
end
3. Configure the firewall policy:
config firewall policy
edit 2
set name "policy46-1"
set srcintf "port24"
FortiOS 7.0.0 New Features Guide 489
Fortinet Inc.
Policy and Objects
set dstintf "port17"
set action accept
set nat46 enable
set srcaddr "all"
set dstaddr "test-vip46-1"
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set ippool enable
set poolname6 "test-ippool6-1"
next
end
To verify the traffic and session tables:
1. Verify the traffic by the sniffer packets:
(root) # diagnose sniffer packet any 'icmp or icmp6' 4
interfaces=[any]
filters=[icmp or icmp6]
2.593302 port24 in 10.1.100.41 -> 10.1.100.150: icmp: echo request
2.593344 naf.root out 10.1.100.41 -> 10.1.100.150: icmp: echo request
2.593347 naf.root in 2000:172:16:101::1 -> 2000:172:16:200::156: icmp6: echo request seq
1
2.593383 port17 out 2000:172:16:101::1 -> 2000:172:16:200::156: icmp6: echo request seq
1
2.593772 port17 in 2000:172:16:200::156 -> 2000:172:16:101::1: icmp6: echo reply seq 1
2.593788 naf.root out 2000:172:16:200::156 -> 2000:172:16:101::1: icmp6: echo reply seq
1
2.593790 naf.root in 10.1.100.150 -> 10.1.100.41: icmp: echo reply
2.593804 port24 out 10.1.100.150 -> 10.1.100.41: icmp: echo reply
11 packets received by filter
0 packets dropped by kernel
2. Verify the session tables for IPv4 and IPv6:
(root) # diagnose sys session list
session info: proto=1 proto_state=00 duration=2 expire=59 timeout=0 flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=252/3/1 reply=252/3/1 tuples=2
tx speed(Bps/kbps): 106/0 rx speed(Bps/kbps): 106/0
orgin->sink: org pre->post, reply pre->post dev=24->53/53->24
gwy=10.1.100.150/10.1.100.41
hook=pre dir=org act=noop 10.1.100.41:29388->10.1.100.150:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.150:29388->10.1.100.41:0(0.0.0.0:0)
peer=2000:172:16:101::1:29388->2000:172:16:200::156:128 naf=1
hook=pre dir=org act=noop 2000:172:16:101::1:29388->2000:172:16:200::156:128(:::0)
hook=post dir=reply act=noop 2000:172:16:200::156:29388->2000:172:16:101::1:129(:::0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
FortiOS 7.0.0 New Features Guide 490
Fortinet Inc.
Policy and Objects
serial=00012b77 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040001 no_offload
no_ofld_reason: disabled-by-policy non-npu-intf
total session 1
(root) # diagnose sys session6 list
session6 info: proto=58 proto_state=00 duration=5 expire=56 timeout=0 flags=00000000
sockport=0 socktype=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty
statistic(bytes/packets/allow_err): org=312/3/0 reply=312/3/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=53->17/17->53
hook=pre dir=org act=noop 2000:172:16:101::1:29388->2000:172:16:200::156:128(:::0)
hook=post dir=reply act=noop 2000:172:16:200::156:29388->2000:172:16:101::1:129(:::0)
peer=10.1.100.150:29388->10.1.100.41:0 naf=2
hook=pre dir=org act=noop 10.1.100.41:29388->10.1.100.150:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.150:29388->10.1.100.41:0(0.0.0.0:0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00001bbc tos=ff/ff ips_view=1024 app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy
total session 1
The IPv4 session is between the incoming physical interface port24 and naf.root. The IPv6 session is between the
naf.root and the outgoing physical interface port17.
NAT64 policy
In this example, a client PC is using IPv6 and an IPv6 VIP to access a server that is using IPv4. The FortiGate uses
NAT64 to translate the request from IPv6 to IPv4 using the virtual interface naf.root. An ippool is applied so that the
request is SNATed to the ippool address (172.16.101.2 - 172.16.101.3).
An embedded VIP64 object is used in this configuration so a specific IPv4 mapped IP does not need to be set. The lower
32 bits of the external IPv6 address are used to map to the IPv4 address. Only an IPv6 prefix is defined. In this example,
the IPv6 prefix is 2001:10:1:100::, so the IPv6 address 2001:10:1:100::ac10:c89c will be translated to 172.16.200.156.
FortiOS 7.0.0 New Features Guide 491
Fortinet Inc.
Policy and Objects
To create a NAT64 policy in the GUI:
1. Configure the VIP:
a. Go to Policy & Objects > Virtual IPs and click Create New > VIP.
b. Enter the following:
VIP type IPv6
Name test-vip64-1
External IP address/range 2000:10:1:100::150
Map to IPv4 address/range Specify: 172.16.200.156
c. Click OK.
2. Configure the VIP with the embedded IPv4 address enabled:
a. Go to Policy & Objects > Virtual IPs and click Create New > VIP.
b. Enter the following:
VIP type IPv6
Name test-vip64-2
External IP address/range 2001:10:1:100::-2001:10:1:100::ffff:ffff
Map to IPv4 address/range Use Embedded
FortiOS 7.0.0 New Features Guide 492
Fortinet Inc.
Policy and Objects
c. Click OK.
3. Configure the IP pool:
a. Go to Policy & Objects > IP Pools and click Create New.
b. Enter the following:
IP Pool Type IPv4 Pool
Name test-ippool4-1
Type Overload
External IP address/range 172.16.101.2-172.16.101.3
NAT64 Enable
c. Click OK.
4. Configure the firewall policy:
a. Go to Policy & Objects > Firewall Policy and click Create New or edit an existing policy.
b. Enter the following:
Name policy64-1
Incoming Interface To_vlan20
Outgoing Interface To_vlan30
Source all
Destination test-vip64-1
test-vip64-2
FortiOS 7.0.0 New Features Guide 493
Fortinet Inc.
Policy and Objects
Schedule always
Service ALL
Action ACCEPT
NAT NAT64
IP Pool Configuration test-ippool4-1
c. Configure the other settings as needed.
d. Click OK.
To create a NAT64 policy in the CLI:
1. Configure the VIP:
config firewall vip6
edit "test-vip64-1"
set extip 2000:10:1:100::150
set nat66 disable
set nat64 enable
set ipv4-mappedip 172.16.200.156
next
end
2. Configure the VIP with the embedded IPv4 address enabled:
config firewall vip6
edit "test-vip64-2"
set extip 2001:10:1:100::-2001:10:1:100::ffff:ffff
set nat66 disable
set nat64 enable
set embedded-ipv4-address enable
FortiOS 7.0.0 New Features Guide 494
Fortinet Inc.
Policy and Objects
next
end
3. Configure the IP pool:
config firewall ippool
edit "test-ippool4-1"
set startip 172.16.101.2
set endip 172.16.101.3
set nat64 enable
set add-nat64-route enable
next
end
4. Configure the firewall policy:
config firewall policy
edit 1
set name "policy64-1"
set srcintf "port24"
set dstintf "port17"
set action accept
set nat64 enable
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "test-vip64-1" "test-vip64-2"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set ippool enable
set poolname "test-ippool4-1"
next
end
To verify the traffic and session tables:
1. Verify the VIP64 traffic by the sniffer packets:
(root) # diagnose sniffer packet any 'icmp or icmp6' 4
interfaces=[any]
filters=[icmp or icmp6]
20.578417 port24 in 2000:10:1:100::41 -> 2000:10:1:100::150: icmp6: echo request seq 1
20.578495 naf.root out 2000:10:1:100::41 -> 2000:10:1:100::150: icmp6: echo request seq
1
20.578497 naf.root in 172.16.101.2 -> 172.16.200.156: icmp: echo request
20.578854 port17 out 172.16.101.2 -> 172.16.200.156: icmp: echo request
20.579083 port17 in 172.16.200.156 -> 172.16.101.2: icmp: echo reply
20.579093 naf.root out 172.16.200.156 -> 172.16.101.2: icmp: echo reply
20.579095 naf.root in 2000:10:1:100::150 -> 2000:10:1:100::41: icmp6: echo reply seq 1
20.579377 port24 out 2000:10:1:100::150 -> 2000:10:1:100::41: icmp6: echo reply seq 1
11 packets received by filter
0 packets dropped by kernel
FortiOS 7.0.0 New Features Guide 495
Fortinet Inc.
Policy and Objects
2. Verify the session tables for IPv6 and IPv4:
(root) # diagnose sys session6 list
session6 info: proto=58 proto_state=00 duration=5 expire=56 timeout=0 flags=00000000
sockport=0 socktype=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty
statistic(bytes/packets/allow_err): org=312/3/0 reply=312/3/0 tuples=2
tx speed(Bps/kbps): 55/0 rx speed(Bps/kbps): 55/0
orgin->sink: org pre->post, reply pre->post dev=24->53/53->24
hook=pre dir=org act=noop 2000:10:1:100::41:29949->2000:10:1:100::150:128(:::0)
hook=post dir=reply act=noop 2000:10:1:100::150:29949->2000:10:1:100::41:129(:::0)
peer=172.16.101.2:45392->172.16.200.156:8 naf=1
hook=pre dir=org act=noop 172.16.101.2:45392->172.16.200.156:8(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.156:45392->172.16.101.2:0(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=000021ec tos=ff/ff ips_view=1024 app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
npu_state=0x040001 no_offload
no_ofld_reason: disabled-by-policy non-npu-intf
total session 1
(root) # diagnose sys session list
session info: proto=1 proto_state=00 duration=7 expire=54 timeout=0 flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=252/3/1 reply=252/3/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=53->17/17->53
gwy=172.16.200.156/172.16.101.2
hook=pre dir=org act=noop 172.16.101.2:45392->172.16.200.156:8(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.156:45392->172.16.101.2:0(0.0.0.0:0)
peer=2000:10:1:100::150:29949->2000:10:1:100::41:129 naf=2
hook=pre dir=org act=noop 2000:10:1:100::41:29949->2000:10:1:100::150:128(:::0)
hook=post dir=reply act=noop 2000:10:1:100::150:29949->2000:10:1:100::41:129(:::0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0001347f tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy
total session 1
The IPv6 session is between the incoming physical interface port24 and naf.root. The IPv4 session is between the
naf.root and the outgoing physical interface port17.
3. Verify the embedded VIP64 traffic by the sniffer packets:
(root) # diagnose sniffer packet any 'icmp or icmp6' 4
interfaces=[any]
filters=[icmp or icmp6]
FortiOS 7.0.0 New Features Guide 496
Fortinet Inc.
Policy and Objects
7.696010 port24 in 2000:10:1:100::41 -> 2001:10:1:100::ac10:c89c: icmp6: echo request
seq 1
7.696057 naf.root out 2000:10:1:100::41 -> 2001:10:1:100::ac10:c89c: icmp6: echo request
seq 1
7.696060 naf.root in 172.16.101.2 -> 172.16.200.156: icmp: echo request
7.696544 port17 out 172.16.101.2 -> 172.16.200.156: icmp: echo request
7.696821 port17 in 172.16.200.156 -> 172.16.101.2: icmp: echo reply
7.696839 naf.root out 172.16.200.156 -> 172.16.101.2: icmp: echo reply
7.696841 naf.root in 2001:10:1:100::ac10:c89c -> 2000:10:1:100::41: icmp6: echo reply
seq 1
7.697167 port24 out 2001:10:1:100::ac10:c89c -> 2000:10:1:100::41: icmp6: echo reply seq
1
11 packets received by filter
0 packets dropped by kernel
Cisco Security Group Tag as policy matching criteria - 7.0.1
The FortiGate can read the Cisco Security Group Tag (SGT) in Ethernet frames, and use them as matching criteria in
firewall policies. A policy can match based on the presence of a SGT, or the detection of a specific ID or IDs.
When a packet with a SGT passes through and a session is established, the ext_header_type=0xc5:0xc5 flag is
included in the session table.
This feature is available in flow mode policies for virtual wire pair policies or policies in transparent mode VDOMs.
To configure a firewall policy to detect SGTs in Ethernet frames:
config firewall policy
edit 1
set sgt-check {enable | disable}
set sgt <ID numbers>
next
end
Examples
In these examples, port2 and port5 are in a virtual wire pair. Firewall policies are created that pass traffic with SGTs with
a specific ID number, any ID number, or either of two specific ID numbers.
To configure the virtual wire pair:
config system virtual-wire-pair
edit "test-vwp-1"
set member "port5" "port2"
set wildcard-vlan enable
FortiOS 7.0.0 New Features Guide 497
Fortinet Inc.
Policy and Objects
next
end
To configure a firewall policy to match frames that have an SGT with ID 20 and allow them through:
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port5"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set sgt-check enable
set sgt 20
next
end
To configure a firewall policy to match frames that have an SGT with any ID:
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port5"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set sgt-check enable
next
end
To configure a firewall policy to match frames that have the SGT with IDs 20 or 21:
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port5"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set sgt-check enable
set sgt 20 21
next
end
To check the session list:
# diagnose sys session list
session info: proto=6 proto_state=01 duration=10 expire=3593 timeout=3600 flags=00000000
FortiOS 7.0.0 New Features Guide 498
Fortinet Inc.
Policy and Objects
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty br dst-vis f00
statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 5/0
orgin->sink: org pre->post, reply pre->post dev=13->10/10->13 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.1.1.11:36970->10.1.2.11:80(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.2.11:80->10.1.1.11:36970(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
dst_mac=00:b0:e1:22:cf:e4
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1
serial=0000183c tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy
ext_header_type=0xc5:0xc5
total session 1
Objects
This section includes information about object related new features:
l Record central NAT and DNAT hit count on page 499
l MAC address wildcard in firewall address on page 500
l Allow VIPs to be enabled or disabled in central NAT mode 7.0.1 on page 501
Record central NAT and DNAT hit count
Daily hit counts for central NAT and DNAT can be displayed in the CLI for IPv4 and IPv6.
To view the central SNAT counter:
# diagnose firewall iprope show 10000d <id>
# diagnose firewall iprope6 show 10000d <id>
To view the DNAT counter:
# diagnose firewall iprope show 100000 <id>
# diagnose firewall iprope6 show 100000 <id>
To clear the counters:
# diagnose firewall iprope clear 10000d <id>
# diagnose firewall iprope clear 100000 <id>
# diagnose firewall iprope6 clear 10000d <id>
FortiOS 7.0.0 New Features Guide 499
Fortinet Inc.
You might also like
- Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)100% (1)Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)247 pages
- 200-301 Exam - Free Actual Q&As, Page 1 - ExamTopics1001-1138No ratings yet200-301 Exam - Free Actual Q&As, Page 1 - ExamTopics1001-113892 pages
- Zero Trust Network Access: Hands On LabNo ratings yetZero Trust Network Access: Hands On Lab63 pages
- FortiOS 7.4.0 New - Features - Guide401 450No ratings yetFortiOS 7.4.0 New - Features - Guide401 45050 pages
- Zero Trust Network Access-7.0-Architecture GuideNo ratings yetZero Trust Network Access-7.0-Architecture Guide20 pages
- Zero Trust Network Access-7.0-Deployment GuideNo ratings yetZero Trust Network Access-7.0-Deployment Guide38 pages
- ZTNA For Web Applications-7.2.5-Deployment GuideNo ratings yetZTNA For Web Applications-7.2.5-Deployment Guide36 pages
- NSE Insider - ZTNA Webinar & Demo, August 19, 2021No ratings yetNSE Insider - ZTNA Webinar & Demo, August 19, 202128 pages
- FortiClient & FortiClient EMS 7.4 New Features GuideNo ratings yetFortiClient & FortiClient EMS 7.4 New Features Guide84 pages
- 2021-Fortinet-ZTNA-Securely Deliver Your Cloud Applications To The New Hybrid WorkforceNo ratings yet2021-Fortinet-ZTNA-Securely Deliver Your Cloud Applications To The New Hybrid Workforce21 pages
- NSE Solution Insider - Fortinet's ZTNA Solution and The 7.2 Improvements - May 19, 2022No ratings yetNSE Solution Insider - Fortinet's ZTNA Solution and The 7.2 Improvements - May 19, 202216 pages
- FortiSASE-24.1-SPA Using ZTNA Deployment GuideNo ratings yetFortiSASE-24.1-SPA Using ZTNA Deployment Guide30 pages
- Fortinet EMEA Channel 40mins Webinar FortiSASE Q42022No ratings yetFortinet EMEA Channel 40mins Webinar FortiSASE Q4202227 pages
- Zero Trust Network Access: Concept GuideNo ratings yetZero Trust Network Access: Concept Guide18 pages
- Forticlient: 7.0 Visibility and Controls For Zero Trust Network Access (Ztna) and Secure Access Service Edge (Sase)No ratings yetForticlient: 7.0 Visibility and Controls For Zero Trust Network Access (Ztna) and Secure Access Service Edge (Sase)6 pages
- Satish Madiraju, Sr. Director of Products - SASE Alexandra Mehat, Director of Product MarketingNo ratings yetSatish Madiraju, Sr. Director of Products - SASE Alexandra Mehat, Director of Product Marketing26 pages
- Actualtestdumps Fortinet Nse7 Zta 7.2 Exam Dumps by Rosa 22 07 2024 10qaNo ratings yetActualtestdumps Fortinet Nse7 Zta 7.2 Exam Dumps by Rosa 22 07 2024 10qa18 pages
- NSE7 - ZTA-7.2 Fortinet Exam Practice QuestionsNo ratings yetNSE7 - ZTA-7.2 Fortinet Exam Practice Questions4 pages
- Accelerate Asia 2023 - Booth Video - 20230502No ratings yetAccelerate Asia 2023 - Booth Video - 2023050211 pages
- ZTNA - Cloudflare Access - Product-Overview 2024 Q2 ENNo ratings yetZTNA - Cloudflare Access - Product-Overview 2024 Q2 EN7 pages
- FortiClient EMS 7.4.0 Administration GuideNo ratings yetFortiClient EMS 7.4.0 Administration Guide519 pages
- FortiSIEM-7.0.0-Agentless ZTNA With FortiSIEM UEBA and FortiGateNo ratings yetFortiSIEM-7.0.0-Agentless ZTNA With FortiSIEM UEBA and FortiGate39 pages
- FW5025 20.0v1 Getting Started With ZTNA On Sophos FirewallNo ratings yetFW5025 20.0v1 Getting Started With ZTNA On Sophos Firewall21 pages
- FortiOS 7.4.0 New - Features - Guide1 50No ratings yetFortiOS 7.4.0 New - Features - Guide1 5050 pages
- FortiClient & FortiClient EMS 6.4 New Features GuideNo ratings yetFortiClient & FortiClient EMS 6.4 New Features Guide57 pages
- Zscaler Fortinet Deployment Guide FINALNo ratings yetZscaler Fortinet Deployment Guide FINAL30 pages
- FCP - FortiGate 7.4 Admin: 499 Practice Questions to Pass the Certification ExamFrom EverandFCP - FortiGate 7.4 Admin: 499 Practice Questions to Pass the Certification ExamNo ratings yet
- IBM Aspera Desktop Client 4.4 For WindowsNo ratings yetIBM Aspera Desktop Client 4.4 For Windows122 pages
- Slack Integration With ServiceNow by Revanth Karra 1696357304No ratings yetSlack Integration With ServiceNow by Revanth Karra 169635730410 pages
- Top 20 Python Full Stack Interview Questions and AnswersNo ratings yetTop 20 Python Full Stack Interview Questions and Answers10 pages
- Data Protection Advisor Fundamentals SRG PDFNo ratings yetData Protection Advisor Fundamentals SRG PDF58 pages
- 02 Intrusion Detection by Analyzing Traffic Part2No ratings yet02 Intrusion Detection by Analyzing Traffic Part2190 pages
