Created on
‎06-11-2023
10:33 PM
Edited on
‎04-25-2025
06:33 AM
By
Jean-Philippe_P
Description
This article describes how to configure FortiGate to protect multiple web servers through a single ZTNA Server when only one public/external IP and port are available.
Scope
FortiGate v7.0.2+, FortiClient v7.0.0+, FortiClient EMS v7.0.0+.
Solution
It is possible to have multiple web servers for one or more domains protected by only one ZTNA Server configured with an external IP and external port.
To accomplish this, an administrator can leverage the Virtual Host option, where multiple certificates can also be utilized to match different FQDNs and domains.
The example below will have 3 different domains. One of the domains will have two web servers performing load balance.
FortiGate External IP/port: 192.168.10.43:8887.
Certificates: wildcard certificates for each domain.
Web Server FQDN |
External DNS Record |
External Port |
Real Server IP |
Real Port |
webserver1.colombas.lab |
192.168.10.43 |
8887 |
172.16.1.10 and 172.16.3.10 |
443 |
webserver2.robertao.lab |
192.168.10.43 |
8887 |
172.16.2.10 |
443 |
webserver4.robertao.lab |
192.168.10.43 |
8887 |
172.16.4.10 |
443 |
fgt61f-webadmin.paulao.lab |
192.168.10.43 |
8887 |
172.16.55.15 |
8444 |
Topology:
Configuration Steps:
- Upload server certificates to FortiGate: Technical Tip: How to import an SSL certificate as a local certificate.
- Configure EMS Fabric Connector on FortiGate if not done already: Technical Tip: Simplify FortiClient EMS setup.
- Configure ZTNA Server as per the steps below:
- Navigate to Policy & Objects -> ZTNA and select 'Create New'. Define a name, external interface/IP/port Creating the ZTNA server from GUI will automatically create a VIP with type 'access-proxy'.
- Select "Create new" under the 'Service/server mapping' section. Select 'Specify' for 'Virtual Host', and define the public resolvable FQDN that matches the server certificate uploaded previously.
Note:
In the example above, there are two real servers, and traffic will be load balanced with the 'Round Robin' method.
Other methods are available: weighted, first alive, and http host.
- For the current topology example, it will look like the screenshot below after configuring all Service/server mappings.
- Configure ZTNA Rules and select the Security Profiles, ZTNA Tags, and Authentication as desired.
Note: Starting from FortiOS v7.2.5 and v7.4.0, ZTNA Rules are now configured under Policy & Objects -> Proxy Policy section.
Related document:
Note:
If a real server is hosted across an IPsec tunnel, and no IP address has been configured to the tunnel interface, a new setting 'set poolname' can be leveraged in FortiOS v7.0.6+, v7.2.0+, and v7.4.0+ as per the document below. This setting can be configured from CLI only.
Related document:
Using the IP pool or client IP address in a ZTNA connection to backend servers
- Connect the endpoint to EMS Telemetry to have the ZTNA Certificate installed on the endpoint: Telemetry connection options.
Note:
It is not necessary to configure a ZTNA Destination on FortiClient for the HTTPS access proxy use case. Configuring a ZTNA Destination rule for the website may interfere with its operation. In this case, it should be possible to access the URL that can be resolved to the ZTNA proxy gateway IP straightaway. The 'access-proxy-virtual-host' to be configured below is to match the URL that the endpoint user is trying to access, to point to the corresponding real server IP.
Validation of configuration: Access to web servers hosted via ZTNA is performed using the FQDN defined under 'Virtual Host' and the port defined under 'external port'.
From CLI, the relevant pieces of configuration are shown below:
config firewall vip
edit "Colombas"
set uuid 2e869c10-feec-51ed-7fd4-2cfc76a5b7b7
set type access-proxy
set extip 192.168.10.43
set extintf "port1"
set server-type https
set extport 8887
set ssl-certificate "Fortinet_Factory"
next
end
config firewall access-proxy
edit "Colombas"
set vip "Colombas"
config api-gateway
edit 2
set virtual-host "auto-Colombas-0"
config realservers
edit 1
set ip 172.16.1.10
next
edit 2
set ip 172.16.3.10
next
end
set ldb-method round-robin
next
edit 3
set virtual-host "auto-Colombas-1"
config realservers
edit 1
set ip 172.16.2.10
next
end
next
edit 4
set virtual-host "auto-Colombas-2"
config realservers
edit 1
set ip 172.16.4.10
next
end
next
edit 5
set virtual-host "auto-Colombas-3"
config realservers
edit 1
set ip 172.16.55.15
set port 8444
next
end
next
end
next
end
config firewall access-proxy-virtual-host
edit "auto-Colombas-0"
set ssl-certificate "Wildcard_Colombas"
set host "webserver1.colombas.lab"
next
edit "auto-Colombas-1"
set ssl-certificate "Wildcard_Robertao"
set host "webserver2.robertao.lab"
next
edit "auto-Colombas-2"
set ssl-certificate "Wildcard_Robertao"
set host "webserver4.robertao.lab"
next
edit "auto-Colombas-3"
set ssl-certificate "Wildcard_Paulao"
set host "fgt61f-webadmin.paulao.lab"
next
end
config firewall proxy-policy
edit 8
set uuid afaaaec8-04a3-51ee-5416-1f2186e2c369
set name "Colombas Servers"
set proxy access-proxy
set access-proxy "Colombas"
set srcintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "LAN1" "LAN3"
set ztna-ems-tag "EMS2_ZTNA_740-TAG"
set action accept
set schedule "always"
set logtraffic all
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
next
edit 13
set uuid afaf2282-04a3-51ee-c3ec-11ff387e05b5
set name "Robertao Servers"
set proxy access-proxy
set access-proxy "Colombas"
set srcintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "LAN2" "LAN4"
set ztna-ems-tag "EMS2_ZTNA_740-TAG"
set action accept
set schedule "always"
set logtraffic all
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set webfilter-profile "Escalations-Proxy"
next
edit 14
set uuid afb3a974-04a3-51ee-39f7-516ad60a7ed3
set name "FGT61F Servers"
set proxy access-proxy
set access-proxy "Colombas"
set srcintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "LAN55" "LAN66"
set ztna-ems-tag "EMS2_ZTNA_740-TAG"
set action accept
set schedule "always"
set logtraffic all
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set webfilter-profile "Escalations-Proxy"
next
end
From the remote endpoint, access 'https://webserver1.colombas.lab:8887'. A prompt to provide a client certificate will be presented:
After providing a valid certificate issued by EMS ZTNA Root CA and matching all criteria of the ZTNA Rule in FortiGate, traffic is proxied to the real server.
Note:
Considering the load balance option was configured, traffic from FortiGate to Destination servers will follow the load balance method, which is 'Round Robin' in this case for 172.16.1.10 and 172.16.3.10.
ZTNA rules are evaluated from a top-down approach, as regular firewall policies are.
For example, to access https://fgt61f-webadmin.paulao.lab:8887, ZTNA Rules are evaluated, and the third one on the list matched the request.
Troubleshooting:
The commands below can be useful for troubleshooting issues with ZTNA Access Proxy.
diagnose debug console timestamp enable
diagnose wad debug enable category policy
diagnose debug enable
From the GUI, check the section 'ZTNA Traffic':
Connection details, including endpoint information, can be retrieved from those logs by selecting 'Details' in the top-right corner.
From the Security Tab, more details about the web request are recorded if UTM Profiles such as 'Web Filter' is applied to the ZTNA Rule.
Alternatively, these logs can be displayed from the CLI by using the following commands:
execute log filter category 0
execute log filter field subtype ztna
execute log display
date=2023-06-11 time=21:02:12 eventtime=1686531732271749388 tz="-0400" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.101.71 srcname="192.168.101.71" srcport=62401 srcintf="port1" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=172.16.4.10 dstname="172.16.4.10" dstport=443 dstintf="overlay-2" dstintfrole="undefined" sessionid=105511 srcuuid="2e869c10-feec-51ed-7fd4-2cfc76a5b7b7" dstuuid="0e2e1196-feec-51ed-7310-56b7eb71c0d9" service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=13 policytype="proxy-policy" poluuid="afaf2282-04a3-51ee-c3ec-11ff387e05b5" policyname="Robertao Servers" duration=522 gatewayid=4 vip="Colombas" accessproxy="Colombas" clientdeviceid="0C68C66208DD428CBE62D091ADBCBDBB" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS2_ZTNA_all_registered_clients/EMS2_ZTNA_all_registered_clients/MAC_EMS2_ZTNA_FMG/EMS2_ZTNA_FMG/MAC_EMS2_ZTNA_GOOD" emsconnection="online" wanin=104334 rcvdbyte=104334 wanout=2953 lanin=2644 sentbyte=2644 lanout=106249 fctuid="0C68C66208DD428CBE62D091ADBCBDBB" appcat="unscanned" utmaction="allow" countweb=3 utmref=65134-25056
In case of traffic is UDP or the application is UDP-based, then it is supported on the 7.6.0 version onward and must be enabled the 'set h3-support' command under the VIP. Below is a reference document:
Related document:
Further to the articles and documents linked above, the following is a great resource center for ZTNA Related questions.