Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Yavuzisci
Staff
Staff

Created on ‎12-27-2023 07:47 AM

Article Id 290862

Technical Tip: Using ZTNA tag on FortiADC

Description This article describes how to create a ZTNA profile in FortiADC.
Scope EMS, FortiClient, FortiADC.
Solution

This article describes how to configure a Security Fabric connection and how to create a ZTNA security profile on FortiADC.

 

Security Fabric connection between EMS and FortiADC:

 

Navigate to FortiADC -> Security Fabric -> Fabric Connectors -> Core Network Security -> FortiClient EMS.

Enter the EMS IP address and port and select Save.

 

Screenshot 2023-12-25 102121.jpg   Screenshot 2023-12-25 102234.jpg

 

Creating a ZTNA profile on FortiADC:

 

Navigate to FortiADC -> Network Security -> ZTNA.

ZTNA tags should be visible under the ZTNA Tags tab after a successful Security Fabric connection.

Select the ZTNA Profile Tab and select Create New. After entering a name for profile, the Create New button will be activated. 

 

  • The Source IP is optional. Either define which IP address can reach backend servers, or you select All for the source IP.
  • ZTNA tags should be selected. It is possible to select more than one ZTNA tag. If more than one ZTNA tag is selected, the boolean logic will be 'or': if the endpoint computer has at least one ZTNA tag, the profile will match.

Screenshot 2023-12-25 103112.jpg

 

Implementing the ZTNA profile on a Virtual Server:

 

In order to apply a ZTNA profile to virtual server, a TCPS or HTTPS profile should be selected. (For the default profile, use 'LB_PROF_TCPS' or 'LB_PROF_HTTPS').

  • The first step for ZTNA access is certificate authentication, so the Client SSL Profile should be selected and 'Client Certificate Verify' should be enabled, and an EMS certificate should be selected.

Either create a new Client Certificate Profile from the Virtual Server profile, or navigate to FortiADC -> System -> Verify -> Create New. Select a certificate with the name of the EMS Serial number.

 

Screenshot 2023-12-25 104434.jpg

 

After creating a Client Certificate and verifying the profile, it should be assigned to the Virtual server. In order to assign a verified Client Certificate profile to a virtual server, navigate to Server Load Balance -> Virtual Server -> highlight virtual server and select Edit -> General -> Client SSL Profile -> Create New -> Edit name of the profile and select new Client Certificate Verify profile which is created earlier.

 
Screenshot 2023-12-25 104927.jpg

 

Assigning a ZTNA Security Profile to a Virtual Server:

 

Navigate to FortiADC -> Server Load Balance -> Virtual Server -> highlight virtual server and select Edit -> Security -> Select ZTNA Security Profile from the drop-down menu.

 

Screenshot 2023-12-25 105351.jpg

 

After configuring a ZTNA security profile, the endpoint computer should comply with the following in order to reach the backend servers:

  • FortiClient should be installed.
  • Telemetry should be registered.
  • Depending on the ZTNA rule, ZTNA tags should exist (or not) on the endpoint computer.

 

If every condition matches, the endpoint computer can reach the backend server securely. 
138
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.