FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
btey
Staff
Staff
Description

This article describes that ZTNA configurations no longer require a firewall policy to forward traffic to the access proxy VIP.

 

This is implicitly generated based on the ZTNA rule configuration.

 

Changes:

- Firewall policies no longer have the ZTNA toggle for switching between Full ZTNA and IP/MAC filtering.


- To perform IP/MAC filtering with ZTNA tags, assign tags under IP/MAC Based Access Control in a firewall policy.


- ZTNA rules must include a source interface.

 

Upgrading:

- If an access-proxy type proxy-policy does not have a srcintf, then after upgrading it will be set to any.


- All full ZTNA firewall policy will be automatically removed.

Scope  
Solution

Before 7.0.2, firewall policy is required to matche and redirect client requests to the access proxy VIP

 

To configure a firewall policy for full ZTNA in the CLI:


# config firewall policy
    edit <policy ID>
        set name <policy name>
        set srcintf <source interface>
        set dstintf "any"
        set srcaddr <source address>
        set dstaddr <access proxy VIP>
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
        set nat enable
    next
end

 

For 7.0.2, firewall policy to forward traffic to the access proxy VIP is implicitly generated based on the ZTNA rule configuration, and does not need to be manually created.

 

For version before 7.0.2 and upgrading to FortiOS 7.0.2, the ZTNA rule source interface will be set to any and all full ZTNA firewall policies will automatically be removed.

 

Reference: 

 

https://docs.fortinet.com/document/fortigate/7.0.2/fortios-release-notes/230510/changes-in-default-b...

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/541261/implicitly-generate-a-firewal...

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/194961/basic-ztna-configuration

Contributors