Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎01-04-2023 11:54 PM Edited on ‎11-08-2024 05:57 AM By Moderator

Article Id 242053

Technical Tip: Sample configuration Proxy ZTNA

Description This article describes how to show some samples of Proxy ZTNA configuration and sample traffic.
Scope FortiGate.
Solution

Diagram: 

 

acvaldez_0-1672902251859.png

 

 

Configuration:

 

  • Windows machine where the Forticlient is connected to EMS.

 

acvaldez_1-1672902329343.png

 

  • On EMS, it is now possible to see the FortiClient registered to it.

 

acvaldez_2-1672902329394.png

 

  • Zero Trust Tagging Rule set on EMS.

 

acvaldez_3-1672902329418.png

 

  • Zero Trust Tag Monitor.

 

acvaldez_4-1672902329449.png

 

 

  • FortiGate where the Security Fabric EMS is configured:

 

acvaldez_5-1672902329456.png

 

  • Status is connected.

 

acvaldez_6-1672902329459.png

 

acvaldez_7-1672902329461.png

 

acvaldez_8-1672902329464.png

 

  • Under Policy & Objects -> ZTNA -> ZTNA Tags in FortiGate, all tags are in synced from EMS to the FortiGate.

 

acvaldez_9-1672902329483.png

 

  • ZTNA server is configured. The 10.115.1.42 is the internal IP of the FortiGate. A web server will be used for this testing.

 

acvaldez_10-1672902329501.png

 

  • ZTNA Rules in the FortiGate, Firewall Policy, and Proxy Policy. 

 

acvaldez_11-1672902329512.png

 

acvaldez_12-1672902329521.png

 

acvaldez_13-1672902329528.png

 

Note: Starting from FortiOS 7.2.5, ZTNA rules tap under Policy & Objects -> ZTNA is removed. Instead, it can be configured under Policy & Objects -> Proxy Policy. It can also be configured under Policy & Objects -> Firewall Policy and select ZTNA. However, this method will not allow control access based on destination interface or real server’s destination address. For more information, refer to this admin guide

 

Sample traffic: 

 

  • The FortiGate is on Firmware version 7.0.6 and the EMS version is 7.0.7.
  • IIS server is accessed behind the FortiGate from ZTNA client 10.47.1.80. and the server IP address behind the FortiGate IP is 10.115.2.86.
  • Logs showing that the right policy are used.

 

acvaldez_14-1672902434943.png

 

  • IIS Server access result.

 

acvaldez_15-1672902434953.png

 

  • WAD debug output:

 

[I][p:226][s:13871][r:6] wad_http_vs_check_dst_ovrd        :1044  1:FirewallInternalIPAccess:1: Found server: 10.115.2.86:80

[V][p:226][s:13871][r:6] wad_http_req_exec_act             :11851 dst_addr_type=3 wc_nontp=0 sec_web=1 web_cache=0 req_bypass=0

[V][p:226][s:13871][r:6] wad_get_dst_intf_idx2             :214   rc = 0, new rt entry oif=5

[V][p:226][s:13871][r:6] wad_http_req_get_dst_intf         :10680 @@@ vd=0 dst=10.115.2.86 ifidx=5

[V][p:226][s:13871][r:6] wad_http_req_vs_check_policy      :10826 HTTP req=0x7fdd4787d710 out_intf=5, vwl=0

[V][p:226][s:13871][r:6] wad_http_req_check_policy         :10547 starting policy matching(vs_pol= 1):10.47.1.80:49193->10.115.2.86:80

[V][p:226][s:13871][r:6] wad_fw_addr_match_ap              :1041  matching ap:FirewallInternalIPAccess(24) with vip addr:FirewallInternalIPAccess(24)

[V][p:226][s:13871][r:6] wad_fw_policy_set_check_id        :4856  pol_id=1 dev_cked=0

[V][p:226][s:13871][r:6] wad_dev_get_key                   :3756  try get cert key, cert_info=0x7fdd48d3ede8, issued_by=ems

[V][p:226][s:13871][r:6] wad_dev_get_key                   :3763  ci->sn=0x7fdd47c250d8, ci->issuer=0x7fdd47c25f80, ci->cn=0x7fdd47c24ce8, ci->cn->len=32

[V][p:226][s:13871][r:6] wad_dev_make_key                  :3743  uid 8C1B97971D574DC086377A33C951E81A, sn FCTEMS8822008166, len 50

[V][p:226][s:13871][r:6] wad_inform_msg_hdr_get            :578   msg=DevQuery code=OK seq=6

[I][p:226][s:13871][r:6] wad_http_req_check_policy         :10620 match policy vd=0 out_if=5 10.47.1.80:49193 -> 10.115.2.86:80

[V][p:226][s:13871][r:6] wad_http_msg_strm_pause           :955   strm paused, flag=0x2 is_clt=1

[V][p:226][s:13871][r:6] wad_http_clt_read_sync            :1837  hs=0x7fdd475322b0 pause=(1/0x2) ret=1 execute=wad_http_clt_read_req_line

[V][p:226][s:13871][r:6] wad_tcp_port_out_read_block       :995   tcp_port 0x7fdd47664048 fd=72 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 stat

 

 

Related articles: 
1211
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.