Description

This article describes how to provide remote access to FortiPAM using a FortiGate ZTNA Gateway.

Scope

FortiPAM.

Solution

In some scenarios where FortiGate is between an endpoint and FortiPAM, it is necessary to use ZTNA HTTPS instead of TCP-forwarding in FortiGate ZTNA.

 Security recommendations:

• Firewall access policies to allow/block traffic to FortiPAM should be in place. A secure remote access method should be used to access FortiPAM remotely.
• Firewall access policies to allow FortiPAM access to the privileged systems should be in place. Only the required ports/services should be allowed.
• Strong authentication methods should be used to log in to FortiPAM. FIDO2 (Technical Tip: activate FIDO authentication) is recommended, but traditional MFA is also acceptable.
• Role based access control should be used on FortiPAM to only grant access to that which is explicitly required by the user.
• Separate FortiPAM interfaces may be used for contractor and employee access with source IP filtering. Separate interfaces may even be used for different types of employee access, again using source IP filtering if desired/required.

Figure 1. FortiPAM Remote Access

Advantages:

• Secured behind FortiGate ZTNA Tunnel.
• Native application launchers are supported.
• Additional authentication options since FortiGate ZTNA authentication can be separate from FortiPAM authentication.

Disadvantages:

• Requires FortiClient with ZTNA license so might be not appropriate for external users.

ZTNA policy requirements:

On the FortiGate side, only HTTPS-type ZTNA is supported (TCP-forwarding is not supported).

DNS Requirements:

Public DNS

• FQDN used for FortiPAM must resolve to the IP address of the ZTNA gateway configured on FortiGate.

Example: pam.fortipam.lab-->10.255.255.100 (FortiGate VIP).

Private DNS

• FortiGate must resolve FQDN for FortiPAM to the internal IP address of FortiPAM.

Example pam.fortipam.lab--> 192.168.0.99

• FQDN for the FortiPAM web-proxy must resolve to the internal IP address for the FortiPAM interface enabled for web-proxy.

Example pamproxy.fortipam.lab--> 192.168.0.99.

ZTNA Server configuration:

• Create a HTTPS ZTNA server using FortiPAM FQDN.

pam.fortipam.lab is resolved to an internal IP address of FortiPAM, i.e. 192.168.0.99 on FortiGate side.

Alternatively, set the ZTNA server's address type to IP and directly enter the FortiPAM IP address.

Figure 2.ZTNA Server Configuration

ZTNA Policy Configuration

• Create ZTNA policy.
• Include relevant groups if authentication is enabled on the ZTNA Gateway?
• Include any desired security posture tags.

Figure 3. ZTNA Policy Configurations

ZTNA Access Proxy Configuration:

Disable server pool multiplexing on FortiGate ZTNA configuration.

Figure 4. ZTNA access proxy

• If the 'IP' address type is being used in real servers, disable the 'translate-host' option.

Figure 5. ZTNA Access Proxy configuration

 FortiPAM Configuration:

• Tunnel Encryption must be enabled to support native application launching. It is recommended to enable this in the Secret Policy rather than per-Secret.

Figure 6. FortiPAM configuration

FortiClient ZTNA configuration:

• Configure ZTNA Destination for TCP forwarding of the FortiPAM web-proxy (only if the web-proxy feature is needed).
• Encryption MUST be enabled.

Figure 7. FortiClient ZTNA configuration