FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Article Id 259586
Description

 

This article describes how to configure FortiGate to protect multiple web servers through a single ZTNA Server when only one public/external IP and port are available.

 

Scope

 

FortiGate v7.0.2+, FortiClientv 7.0.0+, FortiClient EMS v7.0.0+.

 

Solution

 

It is possible to have multiple web servers for one or more domains protected by only one ZTNA Server configured with an external IP and external port.
To accomplish this, an administrator can leverage the Virtual Host option where multiple certificates can also be utilized to match different FQDN's and domains.

 

The example below will have 3 different domains. One of the domains will have two web servers performing load balance.

 

FortiGate External IP/port: 192.168.10.43:8887
Certificates: wildcard certificates for each domain

Web Server FQDN

External DNS Record

External Port

Real Server IP

Real Port

webserver1.colombas.lab

192.168.10.43

8887

172.16.1.10 and 172.16.3.10

443

webserver2.robertao.lab

192.168.10.43

8887

172.16.2.10

443

webserver4.robertao.lab

192.168.10.43

8887

172.16.4.10

443

fgt61f-webadmin.paulao.lab

192.168.10.43

8887

172.16.55.15

8444

 

Topology:

 

topology2-kb.png

 

Configuration Steps:

 

1) Upload server certificates to FortiGate as per document below.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-an-SSL-certificate-as-a-loca...

 

2) Configure EMS Fabric Connector on FortiGate if not done already as per document below.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Simplify-FortiClient-EMS-setup/ta-p/192943

 

3) Configure ZTNA Server as per steps below:

a) Navigate to "Policy & Objects >>> ZTNA" and select "Create New". Define a name, external interface/IP/port.

 

Creating the ZTNA server from GUI will automatically create a VIP with type "access-proxy".

 

b) Select "Create new" under "Service/server mapping" section. Select "Specify" for "Virtual Host", and define the public resolvable FQDN that matches the server certificate uploaded previously.


ztna-3.png

 

Note:
In the example above, there are two real servers and traffic will be load balanced with "Round Robin" method.
Other methods are available: weighted, first alive, and http host.

 

 

c) For the current topology example, it will look like the screenshot below after configuring all Service/server mappings.

 

ztna-server-settings.png


4) Configure ZTNA Rules and select the Security Profiles, ZTNA Tags, and Authentication as desired.

Note.
Starting from FortiOS 7.2.5 and 7.4.0, ZTNA Rules are now configured under Policy & Objects -> Proxy Policy section.


Related document:

https://docs.fortinet.com/document/fortigate/7.2.5/fortios-release-notes/572633/changes-in-gui-behav...
 

ztna5.png

 

Note:

If a real server is hosted across an IPsec tunnel, and no IP address has been configured to the tunnel interface, a new setting 'set poolname' can be leveraged in FortiOS 7.0.6+, 7.2.0+, and 7.4.0+ as per document below. This setting can be configured from CLI only.

 

Related document:

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/230508/using-the-ip-pool-or-client-i...

 

5) Connect the endpoint to EMS Telemetry to have ZTNA Certificate installed to the endpoint as per the document below:

https://docs.fortinet.com/document/forticlient/7.2.0/administration-guide/835597/telemetry-connectio...

 

 

Validation of configuration:


Access to web servers hosted via ZTNA is performed using FQDN defined under 'Virtual Host' and port defined under 'external port'.
From CLI, the relevant pieces of configuration are shown below:

 

config firewall vip

    edit "Colombas"

        set uuid 2e869c10-feec-51ed-7fd4-2cfc76a5b7b7

        set type access-proxy

        set extip 192.168.10.43

        set extintf "port1"

        set server-type https

        set extport 8887

        set ssl-certificate "Fortinet_Factory"

    next

end

 

config firewall access-proxy

    edit "Colombas"

        set vip "Colombas"

        config api-gateway

            edit 2

                set virtual-host "auto-Colombas-0"

                config realservers

                    edit 1

                        set ip 172.16.1.10

                    next

                    edit 2

                        set ip 172.16.3.10

                    next

                end

                set ldb-method round-robin

            next

            edit 3

                set virtual-host "auto-Colombas-1"

                config realservers

                    edit 1

                        set ip 172.16.2.10

                    next

                end

            next

            edit 4

                set virtual-host "auto-Colombas-2"

                config realservers

                    edit 1

                        set ip 172.16.4.10

                    next

                end

            next

            edit 5

                set virtual-host "auto-Colombas-3"

                config realservers

                    edit 1

                        set ip 172.16.55.15

                        set port 8444

                    next

                end

            next

        end

    next

end

 

config firewall access-proxy-virtual-host

    edit "auto-Colombas-0"

        set ssl-certificate "Wildcard_Colombas"

        set host "webserver1.colombas.lab"

    next

    edit "auto-Colombas-1"

        set ssl-certificate "Wildcard_Robertao"

        set host "webserver2.robertao.lab"

    next

    edit "auto-Colombas-2"

        set ssl-certificate "Wildcard_Robertao"

        set host "webserver4.robertao.lab"

    next

    edit "auto-Colombas-3"

        set ssl-certificate "Wildcard_Paulao"

        set host "fgt61f-webadmin.paulao.lab"

    next

end

 

config firewall proxy-policy

    edit 8

        set uuid afaaaec8-04a3-51ee-5416-1f2186e2c369

        set name "Colombas Servers"

        set proxy access-proxy

        set access-proxy "Colombas"

        set srcintf "virtual-wan-link"

        set srcaddr "all"

        set dstaddr "LAN1" "LAN3"

        set ztna-ems-tag "EMS2_ZTNA_740-TAG"

        set action accept

        set schedule "always"

        set logtraffic all

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

    next

    edit 13

        set uuid afaf2282-04a3-51ee-c3ec-11ff387e05b5

        set name "Robertao Servers"

        set proxy access-proxy

        set access-proxy "Colombas"

        set srcintf "virtual-wan-link"

        set srcaddr "all"

        set dstaddr "LAN2" "LAN4"

        set ztna-ems-tag "EMS2_ZTNA_740-TAG"

        set action accept

        set schedule "always"

        set logtraffic all

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set webfilter-profile "Escalations-Proxy"

    next

    edit 14

        set uuid afb3a974-04a3-51ee-39f7-516ad60a7ed3

        set name "FGT61F Servers"

        set proxy access-proxy

        set access-proxy "Colombas"

        set srcintf "virtual-wan-link"

        set srcaddr "all"

        set dstaddr "LAN55" "LAN66"

        set ztna-ems-tag "EMS2_ZTNA_740-TAG"

        set action accept

        set schedule "always"

        set logtraffic all

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set webfilter-profile "Escalations-Proxy"

    next

end

 

From the remote endpoint, access 'https://webserver1.colombas.lab:8887'. A prompt to provide a client certificate will be presented:

 

cert-user1.png

 

After providing a valid certificate issued by EMS ZTNA Root CA, and matching all criteria of the ZTNA Rule in FortiGate, traffic is proxied to the real server.

 

cert-user2.png

 

Note:

Considering the load balance option was configured, traffic from FortiGate to Destination servers will follow the load balance method, which is 'Round Robin' in this case for 172.16.1.10 and 172.16.3.10.

 

load balance ztna.png

 

ZTNA rules are evaluated from a top-down approach as regular firewall policies are.

For example, to access https://fgt61f-webadmin.paulao.lab:8887, ZTNA Rules are evaluated and the third one on the list matched the request.

 

policy ztna.png

 


Troubleshooting:

The commands below can be useful for troubleshooting issues with ZTNA Access Proxy.

 

diagnose debug console timestamp enable
diagnose wad debug enable category policy
diagnose debug enable


From GUI, check the section 'ZTNA Traffic':


ztna traffic.png

 

Connection details, including endpoint information, can be retrieved from those logs by selecting 'Details' in the top-right corner.

 

logs1-.png

 

From the Security Tab, more details about the web request are recorded if UTM Profiles such as "Web Filter" is applied to the ZTNA Rule.

 

logs2-.png

 

 

Alternatively, these logs can be displayed from the CLI by using the following commands:

 

execute log filter category 0

execute log filter field subtype ztna

execute log display

 

date=2023-06-11 time=21:02:12 eventtime=1686531732271749388 tz="-0400" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.101.71 srcname="192.168.101.71" srcport=62401 srcintf="port1" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=172.16.4.10 dstname="172.16.4.10" dstport=443 dstintf="overlay-2" dstintfrole="undefined" sessionid=105511 srcuuid="2e869c10-feec-51ed-7fd4-2cfc76a5b7b7" dstuuid="0e2e1196-feec-51ed-7310-56b7eb71c0d9" service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=13 policytype="proxy-policy" poluuid="afaf2282-04a3-51ee-c3ec-11ff387e05b5" policyname="Robertao Servers" duration=522 gatewayid=4 vip="Colombas" accessproxy="Colombas" clientdeviceid="0C68C66208DD428CBE62D091ADBCBDBB" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS2_ZTNA_all_registered_clients/EMS2_ZTNA_all_registered_clients/MAC_EMS2_ZTNA_FMG/EMS2_ZTNA_FMG/MAC_EMS2_ZTNA_GOOD" emsconnection="online" wanin=104334 rcvdbyte=104334 wanout=2953 lanin=2644 sentbyte=2644 lanout=106249 fctuid="0C68C66208DD428CBE62D091ADBCBDBB" appcat="unscanned" utmaction="allow" countweb=3 utmref=65134-25056

 

Related article:

Further to the articles and documents linked above, the following is a great resource center for ZTNA Related questions.

https://docs.fortinet.com/ztna