Technical Tip: How to configure ZTNA in FortiGate for SMB server access with ZTNA Tags
Description
This article describes how to configure ZTNA in FortiGate for SMB server access.
Scope
FortiGate, FortiClient EMS, FortiClient.
Solution
FortiGate does not expose the SMB server; It controls the TCP proxy, and only compliant users or devices are allowed to access the SMB server through FortiClient.
To access the SMB server through FortiClient, end users are not required to connect to the remote access VPN. However, end users' FortiClient should be connected to FortiClient EMS telemetry.
- Configure a ZTNA server by navigating to Policy & Objects -> ZTNA.
- Same as VIP, Configure the ZTNA server on the outgoing interface and translate it to the internal SMB server on port 445.
- Configure a Firewall policy and select the policy type as ZTNA and select the above-configured ZTNA server for ZTNA translation, and select the tags for which access should be allowed.
- Configure the ZTNA destination in FortiClient EMS. This configuration will be pushed to all the endpoints through a telemetry update.
- Once the SMB server config is received, users can access the SMB server drive without connecting to VPN.
- Verify that the SMB services are running on the server and that the required permissions are configured to access the shared folders.
- Verify the Traffic forwarding logs to check if SMB server traffic matches the exact policy.
