| Description | This article describes some known-limitations regarding the types of IP Pools that can be combined with ZTNA policies (both Simple and Full policies). |
| Scope | FortiGate, ZTNA. |
| Solution |
As a quick primer, user connections through the FortiGate using ZTNA will use the FortiGate's outgoing interface IP address as the source of this proxied connection. v7.0.6, v7.2.,0 and later support the usage of IP Pools as a means of changing this outgoing source address (see also: New Features - Using the IP pool or client IP address in a ZTNA connection to backend servers).
However, there are some limitations to what types of IP Pools may be used in conjunction with IP Pools. Keep this in mind when configuring IP Pools, as it may explain why an IP Pool entry is unexpectedly unavailable when attempting to configure IP Pools on ZTNA policies. Consider the following example of IP Pool entries:
In the above example, one of each type of IP Pool (Overload, One-to-One, Fixed Port Range, and Port Block Allocation) have been configured.
For Full ZTNA Policies (e.g. those configured under Policy & Objects -> Proxy Policy, aka config firewall proxy-policy), only Overload type IP Pools are visible/selectable when running set pool name in the CLI:
FortiGate # config firewall proxy-policy config firewall proxy-policy edit 1 [...] set name "ZTNA Web Test Rule" next end FortiGate # set poolname ZTNA ? *name IP pool name.
For Simple ZTNA Policies (e.g. those configured under Policy & Objects -> Firewall Policy with type set to ZTNA, aka config firewall policy), all four types are selectable:
FortiGate # config firewall policy FortiGate (1) # show config firewall policy edit 1 [...] set srcintf "LAN_101" next end FortiGate (1) # set nat enable FortiGate (1) # set poolname ZTNA ?
Related document: |
