Description | This article describes how to show some samples of Proxy ZTNA configuration and sample traffic. |
Scope | FortiGate. |
Solution |
Diagram:
Configuration:
- Windows machine where the Forticlient is connected to EMS.
- On EMS, it is now possible to see the FortiClient registered to it.
- Zero Trust Tagging Rule set on EMS.
- Zero Trust Tag Monitor.
- FortiGate where the Security Fabric EMS is configured:
- Status is connected.
- Under ZTNA Tags in FortiGate, all tags are in synced from EMS to the FortiGate.
- ZTNA server is confifured. The 10.115.1.42 is the internal IP of the FortiGate. A web server will be used for this testing.
- ZTNA Rules in the FortiGate, Firewall Policy, and Proxy Policy.
Sample traffic:
- The FortiGate is on Firmware version 7.0.6 and the EMS version is 7.0.7. - IIS server is accessed behind the FortiGate from ZTNA client 10.47.1.80. and the server IP address behind the FortiGate IP is 10.115.2.86. - Logs showing that the right policy are used.
- IIS Server access result.
- WAD debug output:
[I][p:226][s:13871][r:6] wad_http_vs_check_dst_ovrd :1044 1:FirewallInternalIPAccess:1: Found server: 10.115.2.86:80 [V][p:226][s:13871][r:6] wad_http_req_exec_act :11851 dst_addr_type=3 wc_nontp=0 sec_web=1 web_cache=0 req_bypass=0 [V][p:226][s:13871][r:6] wad_get_dst_intf_idx2 :214 rc = 0, new rt entry oif=5 [V][p:226][s:13871][r:6] wad_http_req_get_dst_intf :10680 @@@ vd=0 dst=10.115.2.86 ifidx=5 [V][p:226][s:13871][r:6] wad_http_req_vs_check_policy :10826 HTTP req=0x7fdd4787d710 out_intf=5, vwl=0 [V][p:226][s:13871][r:6] wad_http_req_check_policy :10547 starting policy matching(vs_pol= 1):10.47.1.80:49193->10.115.2.86:80 [V][p:226][s:13871][r:6] wad_fw_addr_match_ap :1041 matching ap:FirewallInternalIPAccess(24) with vip addr:FirewallInternalIPAccess(24) [V][p:226][s:13871][r:6] wad_fw_policy_set_check_id :4856 pol_id=1 dev_cked=0 [V][p:226][s:13871][r:6] wad_dev_get_key :3756 try get cert key, cert_info=0x7fdd48d3ede8, issued_by=ems [V][p:226][s:13871][r:6] wad_dev_get_key :3763 ci->sn=0x7fdd47c250d8, ci->issuer=0x7fdd47c25f80, ci->cn=0x7fdd47c24ce8, ci->cn->len=32 [V][p:226][s:13871][r:6] wad_dev_make_key :3743 uid 8C1B97971D574DC086377A33C951E81A, sn FCTEMS8822008166, len 50 [V][p:226][s:13871][r:6] wad_inform_msg_hdr_get :578 msg=DevQuery code=OK seq=6 [I][p:226][s:13871][r:6] wad_http_req_check_policy :10620 match policy vd=0 out_if=5 10.47.1.80:49193 -> 10.115.2.86:80 [V][p:226][s:13871][r:6] wad_http_msg_strm_pause :955 strm paused, flag=0x2 is_clt=1 [V][p:226][s:13871][r:6] wad_http_clt_read_sync :1837 hs=0x7fdd475322b0 pause=(1/0x2) ret=1 execute=wad_http_clt_read_req_line [V][p:226][s:13871][r:6] wad_tcp_port_out_read_block :995 tcp_port 0x7fdd47664048 fd=72 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 stat |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.