Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Secucard
New Contributor III

Fortigate with FortiAuthenticator: 2FA on virtual server or firewall rules (Feature request?)

Hi, 

maybe it can be already done, and I am blind, and maybe ;-), someone has an idea.

It is possible to limit access for example using ZTNA to destinations.

What I am looking for is a possibility, to restrict access requesting 2FA on a virtual server, virtual IP, based inside the policy itself.

To limit outgoing access, it is possible to secure the network port or VLAN using a captive portal, but I want to achieve it INGOING to force 2FA for special services.

If this would be possible, including groups from Radius-Server for example, it would make me smile.

 

What I want to reach: limit access to, for example, Radius based users, in and outside the VPN while accessing a virtual server, to achieve a 2 nd layer of authentication out of the box without modifying the application itself.

 

Thanks

Ronny

1 REPLY 1
Debbie_FTNT
Staff
Staff

Hey Secucard,

 

that's essentially what ZTNA IS - a VIP with authentication.

You can set up SAML auth, with FortiAuthenticator serving as SAML IdP and FortiGate acting as SAML SP, for example, and any users trying to access the ZTNA destination will get sent to FortiAuthenticator to provide credentials (and 2FA), before being allowed.

An example:

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/259754

 

You can also integrate other authentication methods into ZTNA instead (form-based/basic) and include a RADIUS group in the background.

 

You could in theory also just create a policy with a VIP and put a user group in there, and FortiGate *should* trigger an automatic captive portal and ask for credentials (+2FA as applicable), but if there is any other policy with the same VIP, even below the one with user group, then that one will be preferred; by default FortiGate first checks any possible policy without user group, before matching into policies with user groups and triggering an implicit captive portal.

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors