Technical Tip: Protecting a ZTNA access-proxy against malicious sources using ISDBs

Hassan97wsh · ‎07-22-2025

Description

This article describes that when configuring ZTNA proxy policies, the ISDB objects cannot be selected as source.

This article explains how to secure a ZTNA access proxy from malicious sources using local-in policies with ISDB objects.

Scope

FortiGate configured with a ZTNA access proxy and ZTNA proxy policies.

Solution

Since an ISDB object cannot be selected directly in ZTNA proxy policies, a local-in firewall policy can be used to block traffic from specific sources. The local-in policy parameters should match the Virtual IP external interface, IP address, and port. In the example below, the built-in HTTPS service matches the external port 443, but if the port is different, then a custom service can also be defined.

The example shows 'Malicious-Malicious.Server' ISDB object being selected, but other reputation-based ISDB objects may also be selected.

Access-proxy VIP configuration:

config firewall vip
edit "ZTNA-HTTPS-1"
set type access-proxy
set server-type https
set extip 172.20.255.5
set extintf "port1"
set extport 443
set ssl-certificate "demo_cert"
next
end

Local-in policy configuration:

config firewall local-in-policy
edit 1
set intf "port1"
set dstaddr "172.20.255.5"
set internet-service-src enable
set internet-service-src-name "Malicious-Malicious.Server"
set service "HTTPS"
set schedule "always"
next
end

Related documents:
Local-in policy
Technical Tip: Configuring a 'Custom Service' in FortiOS

Technical Tip: Protecting a ZTNA access-proxy against malicious sources using ISDBs

You are leaving our website