Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jcovarrubias
Staff
Staff

Created on ‎02-24-2025 07:18 AM Edited on ‎03-10-2025 12:24 AM By Community Manager

Article Id 373718

Technical Tip: How to configure clientless ZTNA with FortiGate v7.6

Description

This article describes how to configure a Zero Trust Network Access (ZTNA) Web Portal to provide secure RDP access through a FortiGate firewall. The setup includes Virtual IP configuration, access proxy settings, authentication, and web portal configuration.
Scope FortiGate v7.6.
Solution

Starting with FortiGate version 7.6, it is possible to configure Zero Trust Network Access without FortiClient. These are the basic steps to configure it.

 

Description of configuration environment:

The configuration below will use the following elements:

  • Internal RDP server (10.0.2.10/24) on port3.
  • External WAN interface (10.2.9.1) on port1 (Public interface Side).
  • Client's IP 10.0.4.52.
  • Web Portal access on port 15443.
  • Authentication via RADIUS server (Configuration already in place).

 

Configuration Elements:

 

VIP Configuration:

Create a VIP with access-proxy type for the web portal access.

 

config firewall vip

    edit "client-less"

        set type access-proxy

        set server-type https

        set extip 10.2.9.1

        set extintf "port1"

        set client-cert disable

        set extport 15443

        set ssl-certificate "Fortinet_Factory"

    next

end

 

Configure Access Proxy Virtual Host:

Set up the proxy settings for the access portal. The Portal will not ask the client for a Certificate in this configuration, since it is disabled.

 

config firewall access-proxy-virtual-host

    edit "ztna-web-portal"

        set host "10.2.9.1"

        set client-cert disable

    next

end

 

Configure authentication:

Set up the authentication scheme and rule. An important element to note is the 'Protocol' set to ZTNA-PORTAL.

 

config authentication scheme

    edit "ztna-scheme"

        set method basic

        set user-database "RADIUSERV"

    next

end

 

config authentication rule

    edit "rule-portal"

        set protocol ztna-portal

        set active-auth-method "ztna-scheme"

    next

end

 

Configure ZTNA Web Portal:

Combine VIP, web portal, and authentication settings.

 

config ztna web-portal

    edit "portal1"

        set vip "client-less"

        set host "ztna-web-portal"

        set auth-rule "rule-portal"

    next

end

 

Configure Web Portal Bookmark:
Set up the RDP access parameters visible to users.

 

config ztna web-portal-bookmark

    edit "book1"

        set groups "RADIUSGR"

        config bookmarks

            edit "subbook1"

                set apptype rdp

                set host "10.0.2.10"

                set port 3389

                set width 800

                set height 600

            next

        end

    next

end

 

Configure Firewall Proxy Policy:

Create the proxy policy to allow ZTNA portal traffic.

 

config firewall proxy-policy

    edit 33

        set name "web-rdp"

        set proxy ztna-proxy

        set ztna-proxy "portal1"

        set srcintf "any"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end

 

After completing these configurations, users can access the RDP server through the ZTNA Web Portal using their RADIUS authentication credentials.

 

Basic Troubleshooting:

 

  1. Authentication - Enable the following debugs:

 

diagnose wad debug enable category auth

diagnose wad debug enable level info

diagnose debug enable

 

Successful authentication will show the following elements (the left side of the debug removed):

 

wad_ztna_portal_auth_status_proc :378 authenticate result=challenge

wad_ztna_portal_get_user :673 process=2213 auth-rule=rule-portal user=/0/0 ip-based/auth-cookie/transact=1/0/0 auth_req=0x7ff71e88a308

 

wad_usr_pass_auth_on_fnbam_resp :767 finished password authentication user1/ res=success (oldres=success)
wad_auth_ms_make_on_fnbam_resp :1125 server=RADIUSERV
wad_auth_ms_make_on_fnbam_resp :1130 server=RADIUSERV grp=mygroup1
wad_usr_pass_auth_on_fnbam_resp :800 auth user=user1 local-shadowed=0 through server=RADIUSERV
wad_http_auth_update_user_ext2 :3321 updating user. ip: 10.0.4.52, type:IP ms:1 is_machine: 0
wad_auth_inc_user_count :1740 increased user count, quota:128000, n_shared_user:1, vd_used: 1, vd_max: 0, vd_gurant

wad_inform_req_user_add_notify :796 Reponse Add-User from informer: succ auth_req=0x7ff71e88a308

wad_auth_membership_match :1289 grp(GR1): id=1 type=firewall member_sz=1; user(user1):

wad_usr_collect_usrgrp :2847 Match grp(RADIUSGR): SUCCESS

wad_ztna_portal_auth_status_proc :378 authenticate result=success

 

  1. Troubleshooting connectivity once authenticated; the following debug provides the proxy policy. 

 

diag wad debug enable category policy

diag wad debug enable level info

diag debug enable

 

wad_http_policy_match_one :464 fw_pol_id=33(pol_ctx:th|A|7|=p) pflag:H|W|U|A asyn_info=1
wad_fw_policy_async_match :5726 pol_ctx:th|A|7|=d
wad_http_req_policy_set :10028 match policy-id=33(pol_ctx:th|A|7|=d) vd=0(ses_ctx:ct|Pv|Me|H|C|A1r|O) (10.0.4.52:52454@3 -> 10.0.2.10:3389@5)
wad_http_req_proc_policy :9654 policy result:vf_id=0:0 sec_profile=0x7ff71e8a0648 set_cookie=0
353
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.