Technical Tip: Protecting a ZTNA access-proxy agai...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 402550

Description

This article describes that when configuring ZTNA proxy policies, the ISDB objects cannot be selected as source.

This article explains how to secure a ZTNA access proxy from malicious sources using local-in policies with ISDB objects.

Scope

FortiGate configured with a ZTNA access proxy and ZTNA proxy policies.

Solution

Since an ISDB object cannot be selected directly in ZTNA proxy policies, a local-in firewall policy can be used to block traffic from specific sources. The local-in policy parameters should match the Virtual IP external interface, IP address, and port. In the example below, the built-in HTTPS service matches the external port 443, but if the port is different, then a custom service can also be defined.

The example shows 'Malicious-Malicious.Server' ISDB object being selected, but other reputation-based ISDB objects may also be selected.

Access-proxy VIP configuration:

config firewall vip
edit "ZTNA-HTTPS-1"
set type access-proxy
set server-type https
set extip 172.20.255.5
set extintf "port1"
set extport 443
set ssl-certificate "demo_cert"
next
end

Local-in policy configuration:

config firewall local-in-policy
edit 1
set intf "port1"
set dstaddr "172.20.255.5"
set internet-service-src enable
set internet-service-src-name "Malicious-Malicious.Server"
set service "HTTPS"
set schedule "always"
next
end

178

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Protecting a ZTNA access-proxy against malicious sources using ISDBs

You are leaving our website