FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hassan97wsh
Staff
Staff
Article Id 402550
Description

This article describes that when configuring ZTNA proxy policies, the ISDB objects cannot be selected as source.

This article explains how to secure a ZTNA access proxy from malicious sources using local-in policies with ISDB objects.

Scope

FortiGate configured with a ZTNA access proxy and ZTNA proxy policies.

Solution

Since an ISDB object cannot be selected directly in ZTNA proxy policies, a local-in firewall policy can be used to block traffic from specific sources. The local-in policy parameters should match the Virtual IP external interface, IP address, and port. In the example below, the built-in HTTPS service matches the external port 443, but if the port is different, then a custom service can also be defined.

 

The example shows 'Malicious-Malicious.Server' ISDB object being selected, but other reputation-based ISDB objects may also be selected.

 

Access-proxy VIP configuration:

 

config firewall vip
    edit "ZTNA-HTTPS-1"
        set type access-proxy
        set server-type https
        set extip 172.20.255.5
        set extintf "port1"
        set extport 443
        set ssl-certificate "demo_cert"
    next
end


Local-in policy configuration:

 

config firewall local-in-policy
    edit 1
        set intf "port1"
        set dstaddr "172.20.255.5"
        set internet-service-src enable
        set internet-service-src-name "Malicious-Malicious.Server"
        set service "HTTPS"
        set schedule "always"
    next
end

 

Related documents:
Local-in policy
Technical Tip: Configuring a 'Custom Service' in FortiOS