Technical Tip: Manage FortiGate’s internal services via ZTNA access proxy
Description | This article describes how to manage FortiGate’s internal service (over HTTPS) using a ZTNA Access Proxy. |
Scope | FortiOS starting v7.0.6 GA. |
Solution | Starting v7.0.6, there is a behavior change applied to FortiOS. See this article:Â Technical Tip: Unable to manage FortiGate via ZTNA Access Proxy after firmware upgrade to 7.0.6 or higher. Â That article does not describe or provide the option that became available starting in version 7.0.6. There is an option to access FortiGate's internal services through ZTNA, but it requires meeting several conditions:
 Note: Internal services via ZTNA have not been available while testing 7.2.X branch. There have not been any issue in the 7.4, and 7.6 releases.  In an example below, a remote admin account is used to get access to a Loopback interface (192.168.255.1) over HTTPS of FortiGate via ZTNA Server.  The first screen displays the interface settings. The WAN interface has HTTPS disabled, whereas the loopback interface has it enabled:    Step 1: ZTNA server settings:   Step 2: Simple ZTNA policy: Go to GUI -> Policy & Objects -> Firewall Policy -> Select 'Create' button:    Note: ZTNA tags for FortiGate's internal service are not supported and may return the error 'ERR_SSL_PROTOCOL_ERROR' when applied to the simple ZTNA policy.  As a result, the firewall redirects a client connected to the FortiClient EMS server to the ZTNA destination address:    While requests from disconnected clients are denied:    Important Notes: Due to security considerations, this function will not work anymore on the latest version. ZTNA Access Proxy can not be used to access FortiGate internal services directly.
|