I asked this question: https://community.fortinet.com/t5/Support-Forum/Controlling-ZTNA-access-via-Active-Directory/m-p/330... and got the answer I needed but I still have more questions around this.
My setup is FortiGates in AWS controlling access to AWS resources. 99% of the resources are SSH to instances in different accounts and connecting to ALBs via HTTPs. Right now I have VPN groups in ActiveDirectory which translate to VPN groups on the FortiGate. Each group is assigned a VPN CIDR unique to each group. On the AWS side I have Security Groups relating to the VPN CIDRs.
Now when we move to ZTNA I will still need to give some users SSH access and HTTPs access depending on their groups. The list of HTTPs addresses are changing all the time so the only way I could create an address book for users would be to use the FortiGate APi. So for now I am going to skip that problem.
Users who need to SSH to instances is a smaller group but still its not easy. Only our Dev users have a defined set of hosts that never change. I guess my question here is via ZTNA can I define a list of host, and or a CIDR that the users can access. If I am using ZTNA on the FortiGate to control what hosts a user can ssh to what should be in my SecurityGroups in AWS? I am guessing I cannot create rules in the SecurityGroups based on the VPN CIDRs. Is now a case where I employ SSH Proxies? And while we are on it. Rather then doing an Address book for HTTPs destinations maybe this is the place for a HTTPs proxy (or Proxies)?
Solved! Go to Solution.
Hi systemgeek,
Thank you for reaching out. Current ZTNA technology offers ztna server as the destination therefore if you are looking for a subnet as destination instead of single url or host, it makes sense to look for a proxy setup where you still control access to the proxy server or jump url where the destinations would be available. I believe what you are looking for in this case would be a "full ZTNA" setup vs regular or simple setup assuming your firewall is at 7.2 5 FortiOS or higher:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/972568/full-versus-simple-zt...
example including access proxy:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/325639/ztna-https-access-pro...
Thank you,
saleha
Hi systemgeek,
Thank you for reaching out. Current ZTNA technology offers ztna server as the destination therefore if you are looking for a subnet as destination instead of single url or host, it makes sense to look for a proxy setup where you still control access to the proxy server or jump url where the destinations would be available. I believe what you are looking for in this case would be a "full ZTNA" setup vs regular or simple setup assuming your firewall is at 7.2 5 FortiOS or higher:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/972568/full-versus-simple-zt...
example including access proxy:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/325639/ztna-https-access-pro...
Thank you,
saleha
Its going to take me a while to set this up and test it so I will accept it as the solution in a bit. But one more question. I know there are a number of different proxy setups and I remembered seeing Full vs Simple. Is there any doc out there you know of that lists all the types, the differences and in what cases you might use each?
Hi systemgeek,
The full vs simple proxy exist in ZTNA deployment and we only have the official guide document so far on this:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/972568/full-versus-simple-zt...
If you are referring to "Explicit vs Transparent" proxy, the following article provides some answers to this question:
Here is the offlicial guide link that offers dedicated pages for each type:
Thank you,
saleha
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.