FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff & Editor
Staff & Editor
Article Id 267228
Description

 

This article describes the reason why a firewall policy with ZTNA type may not work as expected.

 

Scope

 

FortiGate v7.2.5 and v7.4.0, SD WAN, ZTNA Tags, Firewall policy ZTNA type.

 

Solution

 

Starting with FortiOS 7.2.5 and 7.4.0, a ZTNA Server (VIP) can be used as a destination in a forward firewall policy as described in the document below:

Introduce simplified ZTNA rules within firewall policies. 


Additionally, it is possible to redirect traffic that matches a firewall policy ZTNA type to a proxy-policy ZTNA type with the command # set ztna-policy-redirect enable, which is also described in the document above.

However, a known issue investigated by Development may be triggered if the external interface configured in the ZTNA Server (access proxy VIP) is a member of an SD WAN Zone.

If this criterion is met, traffic will fail to match this firewall policy. To illustrate, see the example below:

ztna-firewall-policy1.png

 

From 'ZTNA Traffic' logs under 'Log & Report', an entry will be recorded that a policy is not matched.

 

ztna-firewall-log1.png

 

Workaround.

 

There are a couple of alternative solutions until a permanent solution is released in future versions.

Method 1: Disable the firewall policy that is configured in ZTNA mode and create a proxy policy. 

The example below will have the same effect as the firewall policy previously mentioned.

ztna-proxy-policy1.png

 

From 'ZTNA Traffic' logs under 'Log & Report', an entry will be recorded that policy traffic was allowed and proxy policy matched.

 

ztna-proxy-log1.png

 

Method 2: Remove the ZTNA Tag from the firewall policy, enable redirection to the proxy policy, and create a proxy policy.
If desired for administrative purposes, the firewall policy may be kept enabled. The ZTNA Tag must be removed from the firewall policy ZTNA type but can be held in a proxy policy. The policy redirection must be enabled from CLI as per the command below.

 

config firewall policy

    edit <id>

        set ztna-policy-redirect {enable | disable}

    next

end


From CLI, the previous policy will look like below.


config firewall policy

    edit 116

        set name "DC1-ZTNA-SDWAN"

        set uuid 49409ff4-3134-51ee-ef23-1bffec1f25c9

        set srcintf "virtual-wan-link"

        set dstintf "any"

        set action accept

        set srcaddr "all"

        set dstaddr "Colombas"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ztna-policy-redirect enable

        set ssl-ssh-profile "certificate-inspection"

        set av-profile "Development-AV"

        set ips-sensor "g-default"

        set logtraffic all

    next

end

 

A similar entry will be recorded since the proxy policy is the one processing the traffic that was redirected by the firewall policy.

 

ztna-proxy-log2.png