Technical Tip: ZTNA Access Proxy with Java dependencies

This article walks through the process of configuring a Zero Trust Network Access (ZTNA) Access Proxy for connecting to PostgreSQL on a FortiGate device.

Specifically, it explores a sample configuration where the PostgreSQL connection utilizes port 5432 by default, but the Access Proxy rule is set for a different port, 5435.

Whether using DBeaver or SQuirreL SQL Client applications, this guide ensures a smooth and secure PostgreSQL connection through the Access Proxy.

Access Proxy Configuration:

1. Access Proxy Definition: Start by configuring the ZTNA Access Proxy. In the FortiGate interface, navigate to the Access Proxy configuration section and create a new entry, such as 'ZTNA-PostgreSQL'.

    

   
   config firewall access-proxy

       edit "ZTNA-PostgreSQL"

           set vip "ZTNA-VIP"

               config api-gateway

                   edit 3

                       set url-map "/tcp"

                       set service tcp-forwarding

                           config realservers

                               edit 1

                                   set address "postgresql.contoso.com"

                                   set mappedport 5435
   

   This configuration ensures that the Access Proxy is set up to handle PostgreSQL connections on the specified port (5435).
   
   

    

2. Firewall Rule Configuration: Next, create a firewall rule that associates the Access Proxy configuration with the desired network settings.
   
   

   config firewall policy

       edit 18

           set uuid c60c9a74-466a-51ee-b694-46e9803b1032

           set name "postgresql"

           set proxy access-proxy

           set access-proxy "ZTNA-PostgreSQL"

           set srcintf "port1"

           set srcaddr "all"

           set dstaddr "postgresql.contoso.com"

           set action accept

           set schedule "always"

           set logtraffic all

       next

    

   This rule ensures that traffic directed towards 'postgresql.contoso.com' from the specified source interface ('port1' in this example) is processed through the Access Proxy configuration.
   
   

Conclusion:

By following these steps, it is possible to configure a ZTNA Access Proxy on the FortiGate device for PostgreSQL connections, even when using non-default ports.

This configuration ensures secure and efficient communication between the PostgreSQL client applications like DBeaver or SQuirreL SQL Client and the PostgreSQL server through the specified Access Proxy rules. Regularly review and adapt these configurations to meet the evolving needs of the network environment.

Forticlient EMS Configuration:

Those two applications are based on Java programming language and in the background they need Java dependencies to connect to PostgreSQL.

To collect ZTNA-related logs from the endpoint side.

Diagnostic Tool

As a regular troubleshooting step when checking fortitcs.log under diagnostic logs FCDiagData\general\logs\trace, probably the following error messages will appear:

[fortitcs error] CopyNetBuffer error:

That is because the software still uses IPV6 addresses instead of IPV4.

In the Windows OS java environmental variables should force to use ipv4 instead of ipv6 to establish the connection.

In order to check existing configurations for Java environmental variables.

echo %_JAVA_OPTIONS%

To adjust environmental variables to connect via IPV4.

setx _JAVA_OPTIONS -Djava.net.preferIPv4Stack=true