Description |
This article describes that when configuring ZTNA proxy policies, the ISDB objects cannot be selected as source. This article explains how to secure a ZTNA access proxy from malicious sources using local-in policies with ISDB objects. |
Scope |
FortiGate configured with a ZTNA access proxy and ZTNA proxy policies. |
Solution |
Since an ISDB object cannot be selected directly in ZTNA proxy policies, a local-in firewall policy can be used to block traffic from specific sources. The local-in policy parameters should match the Virtual IP external interface, IP address, and port. In the example below, the built-in HTTPS service matches the external port 443, but if the port is different, then a custom service can also be defined.
The example shows 'Malicious-Malicious.Server' ISDB object being selected, but other reputation-based ISDB objects may also be selected.
Access-proxy VIP configuration:
config firewall vip
config firewall local-in-policy
Related documents: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.