Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Created on ‎02-17-2025 09:13 AM

Is it possible to include a ZTNA tag inside a local-in policy?

hello everybody, I defined a ZTNA Group that includes two ZTNA Tags:

 

Screenshot 2025-02-17 alle 18.10.14.png

I know that a firewall policy can work with ZTNA Tags. But is it the same for a local-in-policy?

Looking at the documentation:

 

config firewall {local-in-policy | local-in-policy6}
    edit <policy_number>
        set intf <interface>
        set srcaddr <source_address> [source_address] ...
        set dstaddr <destination_address> [destination_address] ...        set action {accept | deny}
        set service <service_name> [service_name] ...
        set schedule <schedule_name>
        set comments <string>
    next
end

 

It generally talks about a destination address. But is the local-in-policy capable of understanding a ZTNA group?

I didn't find anything indicative about this. I'm working on a Fortigate 60F v7.2.11.

Thank you

RDP
RDP
432
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎02-18-2025 07:32 AM

Hi Raffael

As per my knowledge you can't.

But depending on what you want to achieve you may transform your local-in policy to a firewall policy using a loopback address.

AEK

View solution in original post

AEK
390
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎02-18-2025 07:32 AM

Hi Raffael

As per my knowledge you can't.

But depending on what you want to achieve you may transform your local-in policy to a firewall policy using a loopback address.

AEK
AEK
391
AEK
SuperUser
SuperUser

Created on ‎02-18-2025 11:52 AM

You can take this very nice example provided by @Yurisk 

https://yurisk.info/2023/03/21/fortigate-vpn-ssl-hardening-guide/#_move_vpn_ssl_listening_interface_...

Hope it helps.

AEK
AEK
371
Yurisk
SuperUser
SuperUser

Created on ‎02-18-2025 01:01 PM

ZTNA in Local-in policy ? Nope, not possible yet, but give Fortinet folks a break - they just (7.2) introduced Geo address object and ISDB (7.4.4) in Local-in policy, and already asking for ZTNA :) ... 

Some day probably ...

 

Thanks @AEK for the mentioning.

 

Yuri Slobodyanyuk
Yuri Slobodyanyuk
345
AEK
SuperUser
SuperUser

Created on ‎02-18-2025 01:19 PM

@raffaeledp 

I just want to clarify that by the example above I mean you can see how you can transform your local-in policy to a firewall policy using a loopback address, and you can then use ZTNA tag to access the FGT resource (admin UI, ssh, VPN and so).

AEK
AEK
339
MZBZ
Staff
Staff

Created on ‎02-19-2025 10:31 PM

Not possible. No config parameters available:

https://docs.fortinet.com/document/fortigate/7.6.2/cli-reference/185227842/config-firewall-local-in-...

 

M. B.
269
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.