FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that ZTNA configurations no longer require a firewall policy to forward traffic to the access proxy VIP.
This is implicitly generated based on the ZTNA rule configuration.
Changes:
- Firewall policies no longer have the ZTNA toggle for switching between Full ZTNA and IP/MAC filtering.
- To perform IP/MAC filtering with ZTNA tags, assign tags under IP/MAC Based Access Control in a firewall policy.
- ZTNA rules must include a source interface.
Upgrading:
- If an access-proxy type proxy-policy does not have a srcintf, then after upgrading it will be set to any.
- All full ZTNA firewall policy will be automatically removed.
Scope
Solution
Before 7.0.2, firewall policy is required to matche and redirect client requests to the access proxy VIP
To configure a firewall policy for full ZTNA in the CLI:
# config firewall policy edit <policy ID> set name <policy name> set srcintf <source interface> set dstintf "any" set srcaddr <source address> set dstaddr <access proxy VIP> set action accept set schedule "always" set service "ALL" set inspection-mode proxy set logtraffic all set nat enable next end
For 7.0.2, firewall policy to forward traffic to the access proxy VIP is implicitly generated based on the ZTNA rule configuration, and does not need to be manually created.
For version before 7.0.2 and upgrading to FortiOS 7.0.2, the ZTNA rule source interface will be set to any and all full ZTNA firewall policies will automatically be removed.
