ZTNA - Off-net

inventohakkı · ‎08-21-2024

Hello, I need an urgent support

I am doing ztna configuration and fortiems on prem,

For off-net and on-net users, I created a record as fortiems.xxx.com for users in both local dns and global dns,

I created fortiems.xxx.com for off-net users, the dns record is in the same subnet as the wan ip but it is not a direct wan ip, I need to announce this ip behind the wan interface to get telemetry data, but I do not know how to do this, I entered the wan interface as the second ip, but it did not seem like a correct configuration, I cannot see it in the arp table.

Can you help me for this

ozkanaltas · ‎08-21-2024

Hello @inventohakkı ,

Can you try to enable the arp replay setting on the VIP configuration?

config firewall vip
    edit <name>
        set arp-reply enable
    next
end

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

AEK · ‎08-21-2024

Hello

You can do so by adding a VIP, listening on WAN interface and using secondary IP.

AEK

inventohakkı · ‎08-21-2024

I created vip from secondary ip to local ems ips from secondary ip to local ems ips as 8013 and added second ip to wan interface but it did not happen, the second ip does not appear in the arp table.

ozkanaltas · ‎08-21-2024

Hello @inventohakkı ,

If I understand correctly, you want to reach out to EMS to get telemetry data from both inside and outside users.

If you say yes, firstly you need to create a VIP object on Fortigate. This VIP should redirect packets to your internal EMS server. Configuration should be like this. After that, you need to use this VIP object in the firewall policy.

After that, your client can reach your ems server from outside.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

inventohakkı · ‎08-21-2024

Hello.

You understood correctly, I created the vip in the way you showed, I used it in the rule,

The external ip I use in vip is in the same subnet as the wan ip address behind the wan interface, but it is not the direct internet output ip, I added it as a second ip later because I could not find a solution.

ozkanaltas · ‎08-21-2024

Hello @inventohakkı ,

Can you try to enable the arp replay setting on the VIP configuration?

config firewall vip
    edit <name>
        set arp-reply enable
    next
end

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

inventohakkı · ‎08-22-2024

removing ip pool solved the rule but is this the correct configuration

ozkanaltas · ‎08-22-2024

Hello @inventohakkı ,

Yes, it is. Because in your scenario we don't want to do SNAT.

For Source nat, we use IP-Pool objects. In your scenario, just making destination nat(VIP) is enough.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

inventohakkı · ‎08-22-2024

I got it, I have a last question off net, my telnet is working from port 8013 but I can not see it in the arp table, what is the reason for this.

by the way thanks for the solution

ozkanaltas · ‎08-22-2024

Hello @inventohakkı ,

You can't see the ARP record on your client machine's ARP table. Because your connection is Layer 3(routed) connection, not Layer 2. If you look at the ISP router(or any device in front of your FortiGate) arp table, you can see your FortiGate Mac address on that table. Because your FortiGate is connected with your ISP router as Layer 2.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

ZTNA - Off-net

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website