|
Description |
This article demonstrates the functionality of ztna-device-ownership/device-ownership in ZTNA. |
|
Scope |
FortiGate, FortiClient EMS, and FortiClient. |
|
Solution |
In FortiGate Firewall, the device ownership feature enhances the security within Zero Trust Network Access (ZTNA) by ensuring that the authenticated user is the owner of the device being used to access the network. If the authenticated user does not match the device owner, access is denied, providing an additional layer of security against unauthorized access. To achieve device ownership, perform the following actions:
Below is the step-by-step configuration that showcases the ownership functionality. ZTNA Server:
config firewall access-proxy edit "ZTNA-webserver" set vip "ZTNA-webserver" set client-cert enable set user-agent-detect enable set auth-portal enable ← Required for authentication config api-gateway edit 2 set url-map "/tcp" set service tcp-forwarding config realservers edit 1 set address "FAZ" set mappedport 22 next edit 4 set address "FileServer" set mappedport 445 next edit 3 set address "RDP-Server" set mappedport 3389 next end next end next end Authentication Scheme and Rule:
config authentication scheme edit "ZTNA_Auth_Scheme" set method form set require-tfa enable set user-database "local-user-db" next end config authentication rule edit "ZTNA_Auth_Rule" set srcintf "any" set srcaddr "all" set ip-based disable set active-auth-method "ZTNA_Auth_Scheme" set web-auth-cookie enable next end ZTNA Policy:
config firewall proxy-policy edit 1 set uuid 6f684420-528a-51ef-0c5e-d8356662cd5a set name "ZTNA-Policy" set proxy access-proxy set access-proxy "ZTNA-webserver" set srcintf "any" set srcaddr "all" set dstaddr "all" set device-ownership enable set action accept set schedule "always" set users "BijayPrakashGhising" next end Assign owner on Endpoints:
ZTNA Destination:
Verification:
Provide the user credential present in the ZTNA Policy.
Afterward, it is possible to access the RDP server, which will offer a prompt to enter the credentials for the actual server.
Logs:
Device Ownership and User are Matched:
Device Ownership and User are not Matched: req_bypass=1 can be observed in the log. As a result, it will hit the deny policy.
Response Invalid: If you encounter an invalid response from the proxy, it could be due to outdated user cookies and the user not being present in the firewall. The log shows `user_found=0` in such cases.
To resolve this issue, clear the WAD session as a workaround or create a technical ticket for a better solution based on setup environment. See Technical Tip: Clearing proxy session. Related document: |
