Hi,
maybe it can be already done, and I am blind, and maybe ;-), someone has an idea.
It is possible to limit access for example using ZTNA to destinations.
What I am looking for is a possibility, to restrict access requesting 2FA on a virtual server, virtual IP, based inside the policy itself.
To limit outgoing access, it is possible to secure the network port or VLAN using a captive portal, but I want to achieve it INGOING to force 2FA for special services.
If this would be possible, including groups from Radius-Server for example, it would make me smile.
What I want to reach: limit access to, for example, Radius based users, in and outside the VPN while accessing a virtual server, to achieve a 2 nd layer of authentication out of the box without modifying the application itself.
Thanks
Ronny
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Secucard,
that's essentially what ZTNA IS - a VIP with authentication.
You can set up SAML auth, with FortiAuthenticator serving as SAML IdP and FortiGate acting as SAML SP, for example, and any users trying to access the ZTNA destination will get sent to FortiAuthenticator to provide credentials (and 2FA), before being allowed.
An example:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/259754
You can also integrate other authentication methods into ZTNA instead (form-based/basic) and include a RADIUS group in the background.
You could in theory also just create a policy with a VIP and put a user group in there, and FortiGate *should* trigger an automatic captive portal and ask for credentials (+2FA as applicable), but if there is any other policy with the same VIP, even below the one with user group, then that one will be preferred; by default FortiGate first checks any possible policy without user group, before matching into policies with user groups and triggering an implicit captive portal.
Cheers,
Debbie
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.