Description | This article describes how to create a ZTNA profile in FortiADC. |
Scope | EMS, FortiClient, FortiADC. |
Solution |
This article describes how to configure a Security Fabric connection and how to create a ZTNA security profile on FortiADC.
Security Fabric connection between EMS and FortiADC:
Navigate to FortiADC -> Security Fabric -> Fabric Connectors -> Core Network Security -> FortiClient EMS. Enter the EMS IP address and port and select Save.
Creating a ZTNA profile on FortiADC:
Navigate to FortiADC -> Network Security -> ZTNA. ZTNA tags should be visible under the ZTNA Tags tab after a successful Security Fabric connection. Select the ZTNA Profile Tab and select Create New. After entering a name for profile, the Create New button will be activated.
Implementing the ZTNA profile on a Virtual Server:
In order to apply a ZTNA profile to virtual server, a TCPS or HTTPS profile should be selected. (For the default profile, use 'LB_PROF_TCPS' or 'LB_PROF_HTTPS').
Either create a new Client Certificate Profile from the Virtual Server profile, or navigate to FortiADC -> System -> Verify -> Create New. Select a certificate with the name of the EMS Serial number.
After creating a Client Certificate and verifying the profile, it should be assigned to the Virtual server. In order to assign a verified Client Certificate profile to a virtual server, navigate to Server Load Balance -> Virtual Server -> highlight virtual server and select Edit -> General -> Client SSL Profile -> Create New -> Edit name of the profile and select new Client Certificate Verify profile which is created earlier.
Assigning a ZTNA Security Profile to a Virtual Server:
Navigate to FortiADC -> Server Load Balance -> Virtual Server -> highlight virtual server and select Edit -> Security -> Select ZTNA Security Profile from the drop-down menu.
After configuring a ZTNA security profile, the endpoint computer should comply with the following in order to reach the backend servers:
If every condition matches, the endpoint computer can reach the backend server securely. |