Description
This article provides the lists of resources related to ZTNA Access proxy and ZTNA IP/MAC Control applied to various features in FortiGate.
It has been organized in six sections that cover ZTNA usage in:
- ZTNA Resource Center.
- EMS and FortiGate Sync.
- ZTNA Access Proxy - Full ZTNA.
- ZTNA IP/MAC Control - Secure Access.
- SSL VPN - FortiClient and FortiGate.
- FortiSASE - Access Proxy and Secure Access.
Scope
FortiGate v7.0, v7.2, v7.4, FortiClient EMS v7.0, FortiClient v7.0, FortiSASE.
Solution
Sample of ZTNA Deployment for most common use cases - Access proxy and Secure Access (IP/MAC Control).
See the below list of resources for help in configuring and troubleshooting SAML Authentication in FortiGate.
| ZTNA Resource Center |
|
Title |
Description |
| ZTNA Portal Page for a centralized resource center. | |
| ZTNA Architecture guide with design concepts and considerations. | |
| ZTNA Deployment guide with design concepts and considerations. | |
| ZTNA Posture check based on ZTNA Tagging rule sets. | |
| ZTNA troubleshooting and debugging commands. | |
| ZTNA troubleshooting scenarios. |
| EMS and FortiGate Sync |
|
Title |
Description |
| Configuring FortiClient EMS | Establishing FortiClient EMS Security Fabric Connector. |
| Synchronizing FortiClient ZTNA tags | Configuring ZTNA Tags synchronization. |
| Troubleshooting FortiGate with EMS | Troubleshooting tips for Security FortiClient EMS Fabric Connector. |
| How to delete ZTNA Tags | Automatic and manual deletion process of ZTNA Tags. |
| ZTNA Tags fail to synchronize between FortiClient EMS and FortiGate | Object Tagging blocking ZTNA Tags synchronization. |
| How to check if FortiGate is authorized by the EMS server via CLI | CLI commands to check whether FortiGate has been authorized in EMS. |
| 'Endpoint Control' feature not visible under Feature Visibility after upgrade to FortiOS v7.4.0 | Endpoint Control configuration can be controlled by Feature Visibility in FortiOS 7.4.0+. |
| ZTNA Access Proxy - Full ZTNA |
|
Title |
Description |
| How to read FortiGate WAD debugs from ZTNA TCP-Forwarding connection with SAML Authentication |
Explanation of how to read WAD debugs for ZTNA Access Proxy connections. |
| Accessing multiple web servers hosted via single ZTNA Server - Access Proxy (HTTP/HTTPS type) |
Leveraging Virtual Host to access multiple servers via a single ZTNA Access Proxy Server. |
| Behavior of ZTNA Tags shared across multiple vdoms and multiple FortiGate units |
Unable to ZTNA Tags across multiple VDOMs and multiple FortiGates |
|
Unable to manage FortiGate via ZTNA Access Proxy after firmware upgrade to 7.0.6 or higher |
Limitation to administrative access to FortiGate via Access Proxy. |
|
How to configure ZTNA Session Based Authentication with MFA token |
ZTNA Session-Based Authentication with MFA token. |
|
ZTNA TCP Forwarding Access Proxy (ZTAP) for File Shares (SMB) |
File Share Access via ZTNA Access proxy. |
| File Share Access via KDC Proxy endpoint protected by ZTNA Access Proxy. | |
|
Unable to match firewall policy with ZTNA type when interface assigned to ZTNA VIP is a SDWAN member |
Unable to match ZTNA Firewall policy when SD-WAN is enabled. |
|
Unable to match ZTNA proxy policy or ZTNA firewall policy when SAML authentication is enabled |
Unable to match ZTNA proxy or firewall policy when FortiAuthenticator is used as SAML IdP. |
| Unable to match ZTNA Proxy Policy when GeoIP is used in the source address field. | |
|
Unable to access resources protected via ZTNA Access proxy TCP Forwarding when On-Net |
ZTNA Destinations for TCP Forwarding are inaccessible when the endpoint is OnSite. |
|
Creating On-Fabric Detection Rules to control ZTNA Destinations Profile |
Controlling ZTNA Destination profile based on On-Fabric Detection Rules. |
|
How to check ZTNA traffic logs on FortiGate when only FortiAnalyzer logging is enabled |
Unable to see ZTNA Traffic Logs from FortiAnalyzer. |
| Comparison between ZTNA Access Proxy Policies and ZTNA Firewall Policies. | |
|
ZTNA traffic denied because of failed to match a proxy-policy |
ZTNA policy matching failing when ZTNA Tags are applied |
| Leveraging ZTNA TCP Forwarding to target a private-hosted Web Proxy | |
|
ZTNA user blocked with error 'Denied: cert auth failed, cert-status:untrusted fail-reason:(null)' |
ZTNA Access Proxy blocked by untrusted Certificate between FortiGate and FortiClient EMS Security Fabric Connector. |
|
Unable to connect to ZTNA Access Proxy server when FIPS-CC is enabled on FortiGate |
ZTNA Access proxy connections to FIPS-CC-enabled FortiGate may fail. |
|
ZTNA Tag Matching logic for ZTNA and Standard Firewall policies |
ZTNA Tag matching logic for secondary tag type and ZTNA Firewall Policies. |
| ZTNA Secure Access - IP/MAC Control |
|
Title |
Description |
| ZTNA IP MAC based access control example | ZTNA NAC Control example. |
| Assigning a VLAN via NAC policies controlled by ZTNA tags from EMS | NAC policies for Switch Controller with ZTNA Tags. |
| Resolve error 'DYNAMIC_ADDRESS_UPDATE_RETVAL_CMDB_ERROR' when trying to process/import ZTNA tags | Error when trying to import ZTNA tags. |
| Configuring wireless NAC support with ZTNA Tags | NAC policies for Wireless Controller with ZTNA Tags. |
| SSL VPN - FortiClient and FortiGate |
|
Title |
Description |
| ZTNA device certificate verification from EMS for SSL VPN connections | Enabling SSLVPN Certificate authentication with ZTNA Certificate. |
| Secure remote access configuration guide | Restricting Access to SSL VPN Connections based on ZTNA Tags. |
| FortiSASE - Access Proxy and Secure Access |
|
Title |
Description |
| FortiSASE Endpoint with ZTNA Shortcuts Deployment |
FortiSASE agent-based ZTNA Access proxy configuration. |
| SPA Using ZTNA Deployment Guide |
ZTNA Access Proxy and Secure Access deployment guide. |
