ZTNA(7.2 CONFIG AND LAB TEST FORTINET 2022
gagip37481
350 views
98 slides
May 27, 2024
Slide 1 of 98
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
About This Presentation
ZTNA
Slide Content
Introduction to Zero Trust
© Fortinet Inc. All Rights Reserved.
•Business applications and data are dispersed
•Proliferation of access points and endpoint devices
•Rise of BYOD and IoT devices
•Traditional network perimeter is disappearing
•Result is that the attack surface is expanding
•Exposure to risk is ever increasing
Modern Threat Landscape
•Business applications and data are dispersed
•Proliferation of access points and endpoint devices
•Rise of BYOD and IoT devices
•Traditional network perimeter is disappearing
•Result is that the attack surface is expanding
•Exposure to risk is ever increasing
Modern Threat Landscape
© Fortinet Inc. All Rights Reserved.
Limitations of Traditional Access Control
•Security stance is based on network perimeters
•Devices and users within the defined perimeters are “trusted” by default
•Relies solely on user authentication and device location
•Uses a “one and done” approach to user verification
•Network evolution is eliminating clear perimeters
•DMZs, VPNs, Cloud services, etc. all impact the perimeter
Limitations of Traditional Access Control
•Security stance is based on network perimeters
•Devices and users within the defined perimeters are “trusted” by default
•Relies solely on user authentication and device location
•Uses a “one and done” approach to user verification
•Network evolution is eliminating clear perimeters
•DMZs, VPNs, Cloud services, etc. all impact the perimeter
© Fortinet Inc. All Rights Reserved.
What is Zero Trust?
•Zero Trust is a security philosophy or framework
•Uses the principle of “Never trust, always verify”
•Continuous verification of users and devices
•Permissions granted using multiple factors
•Uses principle of least-privilege access
•Users are granted the minimum privileges needed for their role
What is Zero Trust?
•Zero Trust is a security philosophy or framework
•Uses the principle of “Never trust, always verify”
•Continuous verification of users and devices
•Permissions granted using multiple factors
•Uses principle of least-privilege access
•Users are granted the minimum privileges needed for their role
© Fortinet Inc. All Rights Reserved.
Zero Trust vs. ZTA vs. ZTNA
•Zero Trust
•Generic term referring to security solutions where no user or device is automatically trusted
•Limited access is given to verified users/devices
•Re-verification or re-evaluation of permissions is frequent
•Zero Trust Access (ZTA)
•Solutions that focus on identifying, and having oversight of which users and devices are accessing a
network
•Zero Trust Network Access (ZTNA)
•A solution referring to application access where no user or device is trusted to access an application
unless they prove their credentials
•Often cited as a natural evolution from VPN, under ZTNA, applications are hidden from the internet
Zero Trust vs. ZTA vs. ZTNA
•Zero Trust
•Generic term referring to security solutions where no user or device is automatically trusted
•Limited access is given to verified users/devices
•Re-verification or re-evaluation of permissions is frequent
•Zero Trust Access (ZTA)
•Solutions that focus on identifying, and having oversight of which users and devices are accessing a
network
•Zero Trust Network Access (ZTNA)
•A solution referring to application access where no user or device is trusted to access an application
unless they prove their credentials
•Often cited as a natural evolution from VPN, under ZTNA, applications are hidden from the internet
© Fortinet Inc. All Rights Reserved.
Principles of Zero Trust
•All data sources and computing services are resources
•All communication is secured, regardless of network location
•Access to resources granted on a per-sessionbasis
•Determined by dynamic policy—observable state of client, application/service, requesting resource, may
include further behavioral/environmental attributes
•Monitors the integrity and security posture of all owned/associated resources
•Authentication and authorization is dynamic, strictly enforced before access allowed
•Enterprise collects current state of assets, network infrastructure, and communications to
improve security posture
Principles of Zero Trust
•All data sources and computing services are resources
•All communication is secured, regardless of network location
•Access to resources granted on a per-sessionbasis
•Determined by dynamic policy—observable state of client, application/service, requesting resource, may
include further behavioral/environmental attributes
•Monitors the integrity and security posture of all owned/associated resources
•Authentication and authorization is dynamic, strictly enforced before access allowed
•Enterprise collects current state of assets, network infrastructure, and communications to
improve security posture
© Fortinet Inc. All Rights Reserved.
A Zero Trust View of a Network
•The entire enterprise private network is not considered an implicit trust zone
•Devices on the network may not be owned or configurable by the enterprise
•No resource is inherently trusted
•Not all enterprise resources are on enterprise-owned infrastructure
•Remote enterprise subjects and assets cannot fully trust their local network connection
•Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture
A Zero Trust View of a Network
•The entire enterprise private network is not considered an implicit trust zone
•Devices on the network may not be owned or configurable by the enterprise
•No resource is inherently trusted
•Not all enterprise resources are on enterprise-owned infrastructure
•Remote enterprise subjects and assets cannot fully trust their local network connection
•Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture
© Fortinet Inc. All Rights Reserved.
Benefits of Zero Trust Access
•Reduces Risk
•Eliminates points of vulnerability by limiting access for users, and through
extensive and continuous identity
verification
•Increases Visibility
•Know who and what is connected
•Extends Security
•ZTNA extends security off the network
•provides application security
independent of the network
Benefits of Zero Trust Access
•Reduces Risk
•Eliminates points of vulnerability by limiting access for users, and through
extensive and continuous identity
verification
•Increases Visibility
•Know who and what is connected
•Extends Security
•ZTNA extends security off the network
•provides application security
independent of the network
Lesson Overview
10© Fortinet Inc. All Rights Reserved.10© Fortinet Inc. All Rights Reserved.
Fortinet ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
FortiSASE
10© Fortinet Inc. All Rights Reserved.10© Fortinet Inc. All Rights Reserved.
Fortinet ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
FortiSASE
11
Objectives
11
Objectives
Fortinet ZTNA Introduction
•Understand the benefits of using ZTNA
•Understand the fundamentals of ZTNA
•Understand ZTNA tagging rules
•Manage ZTNA tags on FortiClient EMS
Objectives
11
Objectives
Fortinet ZTNA Introduction
•Understand the benefits of using ZTNA
•Understand the fundamentals of ZTNA
•Understand ZTNA tagging rules
•Manage ZTNA tags on FortiClient EMS
12© Fortinet Inc. All Rights Reserved.12© Fortinet Inc. All Rights Reserved.
What is Fortinet’s ZTNA?
•Access control method that provides role-based application access
•ZTNA method uses:
•Client device identification
•Authentication
•Zero-trust tags
•Provides flexibility to manage both on-fabric and off-fabric users
•ZTNA has two modes:
•Full ZTNA
•IP/MAC filtering
What is Fortinet’s ZTNA?
•Access control method that provides role-based application access
•ZTNA method uses:
•Client device identification
•Authentication
•Zero-trust tags
•Provides flexibility to manage both on-fabric and off-fabric users
•ZTNA has two modes:
•Full ZTNA
•IP/MAC filtering
13© Fortinet Inc. All Rights Reserved.13© Fortinet Inc. All Rights Reserved.
Zero Trust Network Access (Application Access)
A better VPN connection
Safe,GranularControl
Match Users to Applications
Role-Based Application Access
Device posturecheck
Location Independent
On-prem,branch, remote
Cloud, Public Cloud, On-prem
Hide Applicationsfrom Internet
Transparent Tunnels
MFA as necessary
On-premor remote
Replacing VPN
ZTNA
Public
Cloud
Data Center
PolicyFOS
CampusBranchRemote
Access
Proxy
Private
Cloud
Zero Trust Network Access (Application Access)
A better VPN connection
Safe,GranularControl
Match Users to Applications
Role-Based Application Access
Device posturecheck
Location Independent
On-prem,branch, remote
Cloud, Public Cloud, On-prem
Hide Applicationsfrom Internet
Transparent Tunnels
MFA as necessary
On-premor remote
Replacing VPN
ZTNA
Public
Cloud
Data Center
PolicyFOS
CampusBranchRemote
Access
Proxy
Private
Cloud
14© Fortinet Inc. All Rights Reserved.14© Fortinet Inc. All Rights Reserved.
ZTNA Automatic Secure Connections
Auto-on secure ZTNA tunnels
(HTTPS/SSH)
FortiClientEMS
Policy
Leveraging Existing
Infrastructure
Continuous Reassessment
& Enforcement
CampusBranchRemote
FortiClientFortiClientFortiClient
Data CenterPublic CloudPrivate Cloud
ZTNA Automatic Secure Connections
Auto-on secure ZTNA tunnels
(HTTPS/SSH)
FortiClientEMS
Policy
Leveraging Existing
Infrastructure
Continuous Reassessment
& Enforcement
CampusBranchRemote
FortiClientFortiClientFortiClient
Data CenterPublic CloudPrivate Cloud
15© Fortinet Inc. All Rights Reserved.15© Fortinet Inc. All Rights Reserved.
Access to the Network
Virtual Private Networking (VPN) Technology
Data Center
Client
(FortiClient)
User VPN Concentrator
(FortiGate)
NGFW
(FortiGate)
Cloud
Applications
MFA optional
(FortiToken)
User
Authentication
Active
Directory
•Dynamic VPN Gateway selection, and split tunneling
•Additional layers of security with MFA
•Single-Sign-on agent supports FortiAuthenticator
Access to the Network
Virtual Private Networking (VPN) Technology
Data Center
Client
(FortiClient)
User VPN Concentrator
(FortiGate)
NGFW
(FortiGate)
Cloud
Applications
MFA optional
(FortiToken)
User
Authentication
Active
Directory
•Dynamic VPN Gateway selection, and split tunneling
•Additional layers of security with MFA
•Single-Sign-on agent supports FortiAuthenticator
16© Fortinet Inc. All Rights Reserved.16© Fortinet Inc. All Rights Reserved.
ZTNA Process
FortiClientEMS
Policy
CampusBranchRemote
FortiClientFortiClientFortiClient
Data CenterPublic
Cloud
Private
Cloud
ZTNA Telemetry
Fabric Sync
Tunnel & Posture
Check
Access
ZTNA Process
FortiClientEMS
Policy
CampusBranchRemote
FortiClientFortiClientFortiClient
Data CenterPublic
Cloud
Private
Cloud
ZTNA Telemetry
Fabric Sync
Tunnel & Posture
Check
Access
17© Fortinet Inc. All Rights Reserved.17© Fortinet Inc. All Rights Reserved.
Fortinet’s ZTNA
What’s it made of? Existing Fortinet Security Fabric Products
FortiClient/ FortiClientEMS
FortiGate
•FortiGate builds the secure tunnel, maintains user group/application
access table (FOS 7.0)
•FortiClient EMS configures the ZTNA agent in FortiClient for the secure
connection back to the FortiGate (FortiClient 7.0)
•Authentication Solution
•FortiAuthenticator, FortiTokenor any 3rdparty supported by the Security Fabric
Core Elements
FortiProxy FortiADC FortiWeb FortiSASE
Fortinet’s ZTNA
What’s it made of? Existing Fortinet Security Fabric Products
FortiClient/ FortiClientEMS
FortiGate
•FortiGate builds the secure tunnel, maintains user group/application
access table (FOS 7.0)
•FortiClient EMS configures the ZTNA agent in FortiClient for the secure
connection back to the FortiGate (FortiClient 7.0)
•Authentication Solution
•FortiAuthenticator, FortiTokenor any 3rdparty supported by the Security Fabric
Core Elements
FortiProxy FortiADC FortiWeb FortiSASE
18© Fortinet Inc. All Rights Reserved.18© Fortinet Inc. All Rights Reserved.
ZTNA Workflow
FortiClient EMS
ZTNA telemetryZTNA telemetry
Sync ZTNA
tags &
certificates
Enforce ZTNA policyZTNA IP/MAC
filtering
Protected servers and resources
On-fabric clients
Off-fabric clients
ZTNA Workflow
FortiClient EMS
ZTNA telemetryZTNA telemetry
Sync ZTNA
tags &
certificates
Enforce ZTNA policyZTNA IP/MAC
filtering
Protected servers and resources
On-fabric clients
Off-fabric clients
19© Fortinet Inc. All Rights Reserved.19© Fortinet Inc. All Rights Reserved.
•Ongoing verification
•Per session user identity checks
•Per session device posture checks (OS version, A/V status,
vulnerability assessment)
•More granular control
•Access granted only to specific application
•No more broad VPN access to the network
•Easier user experience
•Auto-initiates secure tunnel when user accesses applications
•Same experience on and off-net
Evolution of VPN tunnels
Bringing Zero Trust principles to remote access
•Ongoing verification
•Per session user identity checks
•Per session device posture checks (OS version, A/V status,
vulnerability assessment)
•More granular control
•Access granted only to specific application
•No more broad VPN access to the network
•Easier user experience
•Auto-initiates secure tunnel when user accesses applications
•Same experience on and off-net
Evolution of VPN tunnels
Bringing Zero Trust principles to remote access
20© Fortinet Inc. All Rights Reserved.20© Fortinet Inc. All Rights Reserved.
Basic ZTNA Configuration
•Configure ZTNA on FortiGate
•To enable ZTNA and Explicit Proxy on the GUI, System> Feature Visibility
•To deploy ZTNA, you need the following:
•FortiClient endpoint
•FortiClient EMS
•FortiGate
•FortiClient EMS connector
•ZTNA server
•ZTNA rule
•Firewall policy for ZTNA
•Authentication (optional)
System > Feature Visibility
Basic ZTNA Configuration
•Configure ZTNA on FortiGate
•To enable ZTNA and Explicit Proxy on the GUI, System> Feature Visibility
•To deploy ZTNA, you need the following:
•FortiClient endpoint
•FortiClient EMS
•FortiGate
•FortiClient EMS connector
•ZTNA server
•ZTNA rule
•Firewall policy for ZTNA
•Authentication (optional)
System > Feature Visibility
21© Fortinet Inc. All Rights Reserved.21© Fortinet Inc. All Rights Reserved.
FortiClient and FortiClient EMS Connectivity
•FortiClient endpoint must connect to FortiClient EMS
•Check connection status:
•On ZERO TRUST TELEMETRYmenu
•On the FortiClient EMS GUI, Endpoints> All Endpoints
Endpoints > All Endpoints
FortiClient and FortiClient EMS Connectivity
•FortiClient endpoint must connect to FortiClient EMS
•Check connection status:
•On ZERO TRUST TELEMETRYmenu
•On the FortiClient EMS GUI, Endpoints> All Endpoints
Endpoints > All Endpoints
22© Fortinet Inc. All Rights Reserved.22© Fortinet Inc. All Rights Reserved.
FortiGate and FortiClient EMS Connectivity
•FortiGate uses FortiClient EMS fabric connector to connect
•FortiGate must verify the FortiClient EMS server certificate
•Need to install CA certificate on FortiGate, otherwise certificate is not trusted
•FortiClient EMS must authorize the FortiGate as fabric device
Security Fabric > Fabric ConnectorsAdministration > Fabric DevicesFortiGate GUI
FortiClient EMS
GUI
Fabric
connector
status
FortiGate and FortiClient EMS Connectivity
•FortiGate uses FortiClient EMS fabric connector to connect
•FortiGate must verify the FortiClient EMS server certificate
•Need to install CA certificate on FortiGate, otherwise certificate is not trusted
•FortiClient EMS must authorize the FortiGate as fabric device
Security Fabric > Fabric ConnectorsAdministration > Fabric DevicesFortiGate GUI
FortiClient EMS
GUI
Fabric
connector
status
23© Fortinet Inc. All Rights Reserved.23© Fortinet Inc. All Rights Reserved.
Zero-Trust Tagging Rules
•You can create, edit, and delete zero-
trust tagging rules for Windows, macOS,
Linux, iOS, and Android
•When using tagging rules with EMS and
FortiClient
•EMSsends zero-trust tagging rules to
endpoints
•FortiClient checks endpoints using the
provided rules and sends the results to EMS
•EMS dynamically groups endpoints together
using the tag configured for each rule
•You can view the dynamic endpoint groups
inZeroTrust Tags > Zero Trust Tag Monitor
Zero Trust Tags > Zero Trust Tagging Rules
Zero Trust Tags > Zero Trust Tagging Monitor
Zero-Trust Tagging Rules
•You can create, edit, and delete zero-
trust tagging rules for Windows, macOS,
Linux, iOS, and Android
•When using tagging rules with EMS and
FortiClient
•EMSsends zero-trust tagging rules to
endpoints
•FortiClient checks endpoints using the
provided rules and sends the results to EMS
•EMS dynamically groups endpoints together
using the tag configured for each rule
•You can view the dynamic endpoint groups
inZeroTrust Tags > Zero Trust Tag Monitor
Zero Trust Tags > Zero Trust Tagging Rules
Zero Trust Tags > Zero Trust Tagging Monitor
24© Fortinet Inc. All Rights Reserved.24© Fortinet Inc. All Rights Reserved.
Zero-Trust Tagging Rules (Contd)
•You click Addto add a new rule set
•In the rule set window, you can type a rule
name, and select a new or existing tag and
different rule types based on operating
system
•You can configure multiple rules
•By default, an endpoint must satisfy all
configured rules
•Use Edit Logicto apply the tag to endpoints
that satisfy some, but not all, of the
configured rules
Zero Trust Tags > Zero Trust Tagging Rules > +Add
Example to rule logic
Zero-Trust Tagging Rules (Contd)
•You click Addto add a new rule set
•In the rule set window, you can type a rule
name, and select a new or existing tag and
different rule types based on operating
system
•You can configure multiple rules
•By default, an endpoint must satisfy all
configured rules
•Use Edit Logicto apply the tag to endpoints
that satisfy some, but not all, of the
configured rules
Zero Trust Tags > Zero Trust Tagging Rules > +Add
Example to rule logic
25© Fortinet Inc. All Rights Reserved.25© Fortinet Inc. All Rights Reserved.
Zero-Trust Tagging Rules (Contd)
•Import and export tagging rules as a JSON file
•Use predefined rules for FortiGuardoutbreak alert service by uploading signatures
Zero Trust Tags > Zero Trust Tagging Rules
Zero Trust Tags > Zero Trust Tagging Rules
Zero-Trust Tagging Rules (Contd)
•Import and export tagging rules as a JSON file
•Use predefined rules for FortiGuardoutbreak alert service by uploading signatures
Zero Trust Tags > Zero Trust Tagging Rules
Zero Trust Tags > Zero Trust Tagging Rules
26© Fortinet Inc. All Rights Reserved.26© Fortinet Inc. All Rights Reserved.
Zero-Trust Tagging Rules (Contd)
•Manage Tags
•Displays all configured tags and the rules that apply that tag to the endpoints
•Delete tags that do not have any rules attached
•Zero Trust Tag Monitor
•View all dynamic endpoint groups based on the tag configured for each rule
Zero Trust Tags > Zero Trust Tagging Rules
Zero Trust Tags > Zero Trust Tag Monitor
Zero-Trust Tagging Rules (Contd)
•Manage Tags
•Displays all configured tags and the rules that apply that tag to the endpoints
•Delete tags that do not have any rules attached
•Zero Trust Tag Monitor
•View all dynamic endpoint groups based on the tag configured for each rule
Zero Trust Tags > Zero Trust Tagging Rules
Zero Trust Tags > Zero Trust Tag Monitor
27© Fortinet Inc. All Rights Reserved.27© Fortinet Inc. All Rights Reserved.
Zero Trust Tagging Rules—Rule Types
•ZTNA tagging rule has different rules types that varies with OS you select
Zero Trust Tagging Rules—Rule Types
•ZTNA tagging rule has different rules types that varies with OS you select
28© Fortinet Inc. All Rights Reserved.28© Fortinet Inc. All Rights Reserved.
Zero Trust Tagging Rules—Rule Types
•ZTNA tagging rule has different rules types that varies with OS you select
Zero Trust Tagging Rules—Rule Types
•ZTNA tagging rule has different rules types that varies with OS you select
Lesson Progress
29© Fortinet Inc. All Rights Reserved.29© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
FortiSASEUpdate
29© Fortinet Inc. All Rights Reserved.29© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
FortiSASEUpdate
30
Objectives
30
Objectives
Device Identity and Trust
•Understand how to establish device identity and trust
•Understand SSL certificate-based authentication
Objectives
30
Objectives
Device Identity and Trust
•Understand how to establish device identity and trust
•Understand SSL certificate-based authentication
31© Fortinet Inc. All Rights Reserved.31© Fortinet Inc. All Rights Reserved.
Device Roles
•Device identity and trust are integral to ZTNA
•Identity is established through client certificates
•Trust is established between:
•FortiClient
•Provides endpoint information (device information, logged on users, and security posture)
•Obtains client certificate from FortiClient EMS
•FortiClient EMS
•Issues and signs the client certificate
•Synchronizes certificate to FortiGate
•Uses tagging rules to tag endpoints
•FortiGate
•Maintains continuous connection to FortiClient EMS to synchronize endpoint information
•When device information changes, FortiClient EMS updates FortiGate
•FortiGate WAD daemon uses this information when processing ZTNA traffic
Device Roles
•Device identity and trust are integral to ZTNA
•Identity is established through client certificates
•Trust is established between:
•FortiClient
•Provides endpoint information (device information, logged on users, and security posture)
•Obtains client certificate from FortiClient EMS
•FortiClient EMS
•Issues and signs the client certificate
•Synchronizes certificate to FortiGate
•Uses tagging rules to tag endpoints
•FortiGate
•Maintains continuous connection to FortiClient EMS to synchronize endpoint information
•When device information changes, FortiClient EMS updates FortiGate
•FortiGate WAD daemon uses this information when processing ZTNA traffic
32© Fortinet Inc. All Rights Reserved.32© Fortinet Inc. All Rights Reserved.
FortiClient EMS Certificate Management
•FortiClient EMS has a default root CA certificate
•ZTNA CA uses root certificate to sign CSRs from the FortiClient endpoints
•You can revoke and update root CA
•Force updates to the FortiGate and FortiClient endpoints by generating new certificates
•FortiClient EMS manages individual client certificates
System Settings > EMS Setting
FortiClient EMS Certificate Management
•FortiClient EMS has a default root CA certificate
•ZTNA CA uses root certificate to sign CSRs from the FortiClient endpoints
•You can revoke and update root CA
•Force updates to the FortiGate and FortiClient endpoints by generating new certificates
•FortiClient EMS manages individual client certificates
System Settings > EMS Setting
33© Fortinet Inc. All Rights Reserved.33© Fortinet Inc. All Rights Reserved.
FortiClient EMS Certificate Management (Contd)
•On Windows endpoints, FortiClient automatically installs certificates in the certificate
store
•Certificate information, such as certificate UID and SN, should match the information on FortiClient EMS
and FortiGate
•Certificates> Personal> Certificates
•You can verify by CLI command on the FortiGate
•diagnose endpoint record list <optional IP address>
FortiClient EMS Certificate Management (Contd)
•On Windows endpoints, FortiClient automatically installs certificates in the certificate
store
•Certificate information, such as certificate UID and SN, should match the information on FortiClient EMS
and FortiGate
•Certificates> Personal> Certificates
•You can verify by CLI command on the FortiGate
•diagnose endpoint record list <optional IP address>
34© Fortinet Inc. All Rights Reserved.34© Fortinet Inc. All Rights Reserved.
SSL Certificate-Based Authentication
•An endpoint obtains a client certificate when an it registers to FortiClient EMS
•FortiClient automatically submits CSR request
•FortiClient EMS signs and returns the client certificate
•Certificate is stored in OS certificate store
•By default:
•Client certificate authentication is enabled on access proxy
•Empty certificate response is set to block
•Options can be configured on CLI only
configfirewall access-proxy
edit <name>
set client-cert enable
set empty-cert-action block
end
SSL Certificate-Based Authentication
•An endpoint obtains a client certificate when an it registers to FortiClient EMS
•FortiClient automatically submits CSR request
•FortiClient EMS signs and returns the client certificate
•Certificate is stored in OS certificate store
•By default:
•Client certificate authentication is enabled on access proxy
•Empty certificate response is set to block
•Options can be configured on CLI only
configfirewall access-proxy
edit <name>
set client-cert enable
set empty-cert-action block
end
Lesson Progress
35© Fortinet Inc. All Rights Reserved.35© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
FortiSASEUpdate
35© Fortinet Inc. All Rights Reserved.35© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
FortiSASEUpdate
36© Fortinet Inc. All Rights Reserved.36© Fortinet Inc. All Rights Reserved.
Now we will be working on the following labs:
•Lab Z01 -EMS Base Configuration
•Lab Z02 -FortiGate Configuration
Total Completion Time: 50 Minutes
Labs
Now we will be working on the following labs:
•Lab Z01 -EMS Base Configuration
•Lab Z02 -FortiGate Configuration
Total Completion Time: 50 Minutes
Labs
37
Objectives
37
Objectives
ZTNA Configuration Setups
•Describe types of ZTNA configuration
•Configure ZTNA access on FortiOS
Objectives
37
Objectives
ZTNA Configuration Setups
•Describe types of ZTNA configuration
•Configure ZTNA access on FortiOS
38© Fortinet Inc. All Rights Reserved.38© Fortinet Inc. All Rights Reserved.
ZTNA HTTPS Access Proxy
•HTTPS access proxy works as a reverse proxy
•Verifies user identity, device identity, and trust context before granting access
•Supports IPv6 scenarios:
•IPv6 Client IPv6 Access Proxy IPv6 Sever
•IPv6 Client IPv6 Access Proxy IPv4 Sever
•IPv4 Client IPv4 Access Proxy IPv6 Sever
Remote Endpoint
IPv4: 10.0.2.10
IPv6: 2000:10:0:2::214
IPv4: 10.0.1.6
IPv6: 2000:192:168:20::6
Web server
FortiClient EMS
FortiGate
(Access Proxy)
port3port1
100.64.1.25310.0.1.254
10.0.1.100
Access Proxy VIP:
IPv4:100.64.1.10:9443
webserver.demo.com
IPv6 2000:172:18::66:9443
ZTNA HTTPS Access Proxy
•HTTPS access proxy works as a reverse proxy
•Verifies user identity, device identity, and trust context before granting access
•Supports IPv6 scenarios:
•IPv6 Client IPv6 Access Proxy IPv6 Sever
•IPv6 Client IPv6 Access Proxy IPv4 Sever
•IPv4 Client IPv4 Access Proxy IPv6 Sever
Remote Endpoint
IPv4: 10.0.2.10
IPv6: 2000:10:0:2::214
IPv4: 10.0.1.6
IPv6: 2000:192:168:20::6
Web server
FortiClient EMS
FortiGate
(Access Proxy)
port3port1
100.64.1.25310.0.1.254
10.0.1.100
Access Proxy VIP:
IPv4:100.64.1.10:9443
webserver.demo.com
IPv6 2000:172:18::66:9443
39© Fortinet Inc. All Rights Reserved.39© Fortinet Inc. All Rights Reserved.
ZTNA HTTPS Access Proxy (Contd)
•ZTNA server:
Policy & Objects > ZTNA > ZTNA Servers
Access Proxy VIP
IP address and port
Real server
IP address and port
Virtual host matching rules
ZTNA HTTPS Access Proxy (Contd)
•ZTNA server:
Policy & Objects > ZTNA > ZTNA Servers
Access Proxy VIP
IP address and port
Real server
IP address and port
Virtual host matching rules
40© Fortinet Inc. All Rights Reserved.40© Fortinet Inc. All Rights Reserved.
ZTNA HTTPS Access Proxy (Contd)
•ZTNA rule:•ZTNA rule:
Policy & Objects > ZTNA > ZTNA Rules
ZTNA HTTPS Access Proxy (Contd)
•ZTNA rule:•ZTNA rule:
Policy & Objects > ZTNA > ZTNA Rules
41© Fortinet Inc. All Rights Reserved.41© Fortinet Inc. All Rights Reserved.
ZTNA HTTPS Access Proxy (Contd)
•Firewall policy:
•Redirects client requests to the access proxy
•Select source interface and addresses that
are allowed access to the VIP
•UTM processing happens at the ZTNA rule
Policy & Objects > ZTNA > ZTNA Rules
ZTNA HTTPS Access Proxy (Contd)
•Firewall policy:
•Redirects client requests to the access proxy
•Select source interface and addresses that
are allowed access to the VIP
•UTM processing happens at the ZTNA rule
Policy & Objects > ZTNA > ZTNA Rules
42© Fortinet Inc. All Rights Reserved.42© Fortinet Inc. All Rights Reserved.
ZTNA HTTPS Access Proxy With Basic Authentication
•You can add authentication to the access proxy
•Requires authentication scheme and authentication rule
•To authenticate proxy-based policies
192.168.20.6
192.168.20.10
Web server
FortiClient EMS
FortiGate
(Access Proxy)
port3port1
100.64.1.253192.168.20.5
Access Proxy VIP:
100.64.1.10:9443
webserver.demo.com
Remote Authentication Server
LDAP/RADIUS/Local database or other
supported user authentication servers
ZTNA HTTPS Access Proxy With Basic Authentication
•You can add authentication to the access proxy
•Requires authentication scheme and authentication rule
•To authenticate proxy-based policies
192.168.20.6
192.168.20.10
Web server
FortiClient EMS
FortiGate
(Access Proxy)
port3port1
100.64.1.253192.168.20.5
Access Proxy VIP:
100.64.1.10:9443
webserver.demo.com
Remote Authentication Server
LDAP/RADIUS/Local database or other
supported user authentication servers
43© Fortinet Inc. All Rights Reserved.43© Fortinet Inc. All Rights Reserved.
ZTNA HTTPS Access Proxy With SAML Authentication
•SAML authentication
192.168.20.6
192.168.20.10
Web server
FortiClient EMS
Remote EndpointFortiGate
(Access Proxy)
port3port1
100.64.1.253192.168.20.5
Access Proxy VIP:
100.64.1.10:9443
webserver.demo.com
SAML Authenticator
&
LDAP Server
ZTNA HTTPS Access Proxy With SAML Authentication
•SAML authentication
192.168.20.6
192.168.20.10
Web server
FortiClient EMS
Remote EndpointFortiGate
(Access Proxy)
port3port1
100.64.1.253192.168.20.5
Access Proxy VIP:
100.64.1.10:9443
webserver.demo.com
SAML Authenticator
&
LDAP Server
44© Fortinet Inc. All Rights Reserved.44© Fortinet Inc. All Rights Reserved.
ZTNA TCP Forwarding Access Proxy
•TCP forwarding access proxy demonstrates an HTTPS reverse proxy that forwards TCP
traffic to the resource
•TCP forwarding access proxy:
•Tunnels TCP traffic between the client and FortiGate over HTTPS
•Forwards the TCP traffic to the protected resource
10.88.0.1
10.88.0.2
Winserver
FortiAnalyzer
HTTPS
FortiGate
(Access Proxy)
port2port3
Access Proxy VIP:
10.0.3.11:8443
FortiClient EMS
Remote Endpoint
TCP/RDP
TCP/SSH
ZTNA TCP Forwarding Access Proxy
•TCP forwarding access proxy demonstrates an HTTPS reverse proxy that forwards TCP
traffic to the resource
•TCP forwarding access proxy:
•Tunnels TCP traffic between the client and FortiGate over HTTPS
•Forwards the TCP traffic to the protected resource
10.88.0.1
10.88.0.2
Winserver
FortiAnalyzer
HTTPS
FortiGate
(Access Proxy)
port2port3
Access Proxy VIP:
10.0.3.11:8443
FortiClient EMS
Remote Endpoint
TCP/RDP
TCP/SSH
45© Fortinet Inc. All Rights Reserved.45© Fortinet Inc. All Rights Reserved.
ZTNA TCP Forwarding Access Proxy (Contd)
•To configure access proxy VIP and server mappings from the FortiGate CLI
config firewall vip
edit "ZTNA-tcp-server"
set type access-proxy
set extip10.0.3.11
set extintf"port3"
set server-type https
set extport8443
set ssl-certificate "Fortinet_SSL"
next
end
Access Proxy VIPconfigfirewall access-proxy
edit "ZTNA-tcp-server"
set vip"ZTNA-tcp-server"
set client-cert enable
configapi-gateway
edit 1
set service tcp-forwarding
configrealservers
edit 1
set address "FAZ"
set mappedport22
next
edit 2
set address "winserver"
set mappedport3389
end
end
end
Real server address and
port mapping
ZTNA TCP Forwarding Access Proxy (Contd)
•To configure access proxy VIP and server mappings from the FortiGate CLI
config firewall vip
edit "ZTNA-tcp-server"
set type access-proxy
set extip10.0.3.11
set extintf"port3"
set server-type https
set extport8443
set ssl-certificate "Fortinet_SSL"
next
end
Access Proxy VIPconfigfirewall access-proxy
edit "ZTNA-tcp-server"
set vip"ZTNA-tcp-server"
set client-cert enable
configapi-gateway
edit 1
set service tcp-forwarding
configrealservers
edit 1
set address "FAZ"
set mappedport22
next
edit 2
set address "winserver"
set mappedport3389
end
end
end
Real server address and
port mapping
46© Fortinet Inc. All Rights Reserved.46© Fortinet Inc. All Rights Reserved.
ZTNA TCP Forwarding Access Proxy (Contd)
Policy & Objects > ZTNA > ZTNA Server
Real server address and
port mapping
Real server address and
port mapping
ZTNA TCP Forwarding Access Proxy (Contd)
Policy & Objects > ZTNA > ZTNA Server
Real server address and
port mapping
Real server address and
port mapping
47© Fortinet Inc. All Rights Reserved.47© Fortinet Inc. All Rights Reserved.
ZTNA TCP Forwarding Access Proxy (Contd)
Policy & Objects > ZTNA > ZTNA RulesPolicy & Objects > Firewall Policy
ZTNA TCP Forwarding Access Proxy (Contd)
Policy & Objects > ZTNA > ZTNA RulesPolicy & Objects > Firewall Policy
48© Fortinet Inc. All Rights Reserved.48© Fortinet Inc. All Rights Reserved.
ZTNA TCP Forwarding Access Proxy (Contd)
•User must create a ZTNA rule on the FortiClient to connect
•You can also configure ZTNA TCP forwarding access proxy without encryption
•Improves performance by reducing encryption overhead of an already secure underlying protocol
•Do not use for insecure protocols
ZTNA CONNECTION RULES > Add Rule
ZTNA TCP Forwarding Access Proxy (Contd)
•User must create a ZTNA rule on the FortiClient to connect
•You can also configure ZTNA TCP forwarding access proxy without encryption
•Improves performance by reducing encryption overhead of an already secure underlying protocol
•Do not use for insecure protocols
ZTNA CONNECTION RULES > Add Rule
49© Fortinet Inc. All Rights Reserved.49© Fortinet Inc. All Rights Reserved.
ZTNA IP MAC Filtering
•When you enable ZTNA on FortiGate, the
firewall policy provides two options:
•Full ZTNA
•IP/MAC filtering
•ZTNA IP/MAC filtering mode enhances
security when endpoints are physically
on the corporate network
•Use ZTNA tags to control access
•Full ZTNA mode focuses on access for
remote users
ZTNA IP/MAC filtering Firewall Policy
ZTNA IP MAC Filtering
•When you enable ZTNA on FortiGate, the
firewall policy provides two options:
•Full ZTNA
•IP/MAC filtering
•ZTNA IP/MAC filtering mode enhances
security when endpoints are physically
on the corporate network
•Use ZTNA tags to control access
•Full ZTNA mode focuses on access for
remote users
ZTNA IP/MAC filtering Firewall Policy
50© Fortinet Inc. All Rights Reserved.50© Fortinet Inc. All Rights Reserved.
ZTNA SSH Access Proxy
•ZTNA supports SSH access proxy to provide seamless SSH connection
•Advantages over TCP forwarding access proxy:
•Establishing device trust context with user identity and device identity checks
•Applying SSH deep inspection to the traffic through the SSH related profile
•Performing optional SSH host-key validation of the server
•Using one-time user authentication to authenticate the ZTNA SSH access
proxy connection and the SSH server connection
Remote Endpoint
FortiClient EMS
192.168.20.10
SSH server
192.168.20.20
FortiGate
(Access Proxy)
port3port1
100.64.1.253192.168.20.5
Access Proxy VIP:
100.64.1.10:443
Authentication server
192.168.20.1
ZTNA SSH Access Proxy
•ZTNA supports SSH access proxy to provide seamless SSH connection
•Advantages over TCP forwarding access proxy:
•Establishing device trust context with user identity and device identity checks
•Applying SSH deep inspection to the traffic through the SSH related profile
•Performing optional SSH host-key validation of the server
•Using one-time user authentication to authenticate the ZTNA SSH access
proxy connection and the SSH server connection
Remote Endpoint
FortiClient EMS
192.168.20.10
SSH server
192.168.20.20
FortiGate
(Access Proxy)
port3port1
100.64.1.253192.168.20.5
Access Proxy VIP:
100.64.1.10:443
Authentication server
192.168.20.1
51© Fortinet Inc. All Rights Reserved.51© Fortinet Inc. All Rights Reserved.
ZTNA SSH Access Proxy: One-time user auth*
Endpoint registers on
FortiClient EMS and receives the client cert
Endpoint attempts to
connect to SSH access proxy using same
username for access proxy auth
FortiGate challenges
endpoint with device identity validation.
Endpoint provides
FortiClient EMS issued certificate for device
identification
FortiGate challenges
endpoint with user auth (For example, basic or
SAML)
User enters credentials
on endpoint
FortiGate authenticates
the user, collecting username
Using FortiGate CA or
customer CA certificate, FortiGate signs SSH cert
with username as principal
FortiGate attempts to
connect to SSH server using cert auth
SSH server verifies the
authenticity of certificate and matches username
principal against its authorized_keysfile
If the username match,
record in file and SSH connection established
If no match found, SSH
connection fails
ZTNA SSH Access Proxy: One-time user auth*
Endpoint registers on
FortiClient EMS and receives the client cert
Endpoint attempts to
connect to SSH access proxy using same
username for access proxy auth
FortiGate challenges
endpoint with device identity validation.
Endpoint provides
FortiClient EMS issued certificate for device
identification
FortiGate challenges
endpoint with user auth (For example, basic or
SAML)
User enters credentials
on endpoint
FortiGate authenticates
the user, collecting username
Using FortiGate CA or
customer CA certificate, FortiGate signs SSH cert
with username as principal
FortiGate attempts to
connect to SSH server using cert auth
SSH server verifies the
authenticity of certificate and matches username
principal against its authorized_keysfile
If the username match,
record in file and SSH connection established
If no match found, SSH
connection fails
Lesson Progress
52© Fortinet Inc. All Rights Reserved.52© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
FortiSASEUpdate
52© Fortinet Inc. All Rights Reserved.52© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
FortiSASEUpdate
53© Fortinet Inc. All Rights Reserved.53© Fortinet Inc. All Rights Reserved.
Now we will be working on the following labs:
•Lab Z03 -FortiClient Installation
•Lab Z04 -Configure EMS ZTNA tagging rules
•Lab Z05 -VPN Access with Zero Trust Tags
•Lab Z06 -Configure basic HTTPS Access Proxy
•Lab Z07 -Configure HTTPS Access Proxy with user authentication and ZTNA tags
•Lab Z08 -TCP Forwarding Access Proxy
•Lab Z09 -Working with Zero Trust Tags
Total Completion Time: 2 hour 55 Minutes
Labs
Now we will be working on the following labs:
•Lab Z03 -FortiClient Installation
•Lab Z04 -Configure EMS ZTNA tagging rules
•Lab Z05 -VPN Access with Zero Trust Tags
•Lab Z06 -Configure basic HTTPS Access Proxy
•Lab Z07 -Configure HTTPS Access Proxy with user authentication and ZTNA tags
•Lab Z08 -TCP Forwarding Access Proxy
•Lab Z09 -Working with Zero Trust Tags
Total Completion Time: 2 hour 55 Minutes
Labs
54
Objectives
54
Objectives
Comparing ZTNA to SSL and IPSecVPN
•Understand the evolution of teleworker remote access with
ZTNA
Objectives
54
Objectives
Comparing ZTNA to SSL and IPSecVPN
•Understand the evolution of teleworker remote access with
ZTNA
55© Fortinet Inc. All Rights Reserved.55© Fortinet Inc. All Rights Reserved.
Comparing SSL VPN, IPsec VPN, and ZTNA Access
IPsec VPNSSL VPNZTNA
Tunnel type:IPsec tunnelonlySession-based OR tunnel Session-based only
Configured
between:
FortiClientand FortiGate
FortiGateand FortiGate
FortiGateand compatible third-
party IPsec VPN gateway
FortiGateand compatible third-
party IPsec VPN clients
Browser and FortiGate
FortiClientand FortiGate
FortiGate (SSL Client) and
FortiGate (SSL Server)
Browser and
FortiGate
FortiClient and
FortiGate (TCP
forwarding access)
Log in through:
IPsec clientHTTPS web page on FortiGate
FortiClient
FortiGate (SSL Client)
HTTPS hostnameor
IP and port number
FortiClient (TCP
forwarding access)
Comparing SSL VPN, IPsec VPN, and ZTNA Access
IPsec VPNSSL VPNZTNA
Tunnel type:IPsec tunnelonlySession-based OR tunnel Session-based only
Configured
between:
FortiClientand FortiGate
FortiGateand FortiGate
FortiGateand compatible third-
party IPsec VPN gateway
FortiGateand compatible third-
party IPsec VPN clients
Browser and FortiGate
FortiClientand FortiGate
FortiGate (SSL Client) and
FortiGate (SSL Server)
Browser and
FortiGate
FortiClient and
FortiGate (TCP
forwarding access)
Log in through:
IPsec clientHTTPS web page on FortiGate
FortiClient
FortiGate (SSL Client)
HTTPS hostnameor
IP and port number
FortiClient (TCP
forwarding access)
56© Fortinet Inc. All Rights Reserved.56© Fortinet Inc. All Rights Reserved.
Comparing SSL VPN, IPsec VPN, and ZTNA Access (Contd)
IPsec VPNSSL VPNZTNA
Category:Industry standardVendorspecificVendorspecific
Configuration:•Requires installation
•Flexible setup
•Mesh and star topologies
•For clients or peer
gateways
•Performance based: IPsec
encryptographyis faster in
FortiOS
•Does not require installation
•Simpler setup
•Only client-to-FortiGate
•No user-configured
settings
•Technical support less
requested
•Does not require
installation
•Simpler setup
•Only client-to-
FortiGate
•No user-
configured
settings
•Technical support
less requested
Betterfor:Office-to-office traffic
Data centers
Providesflexibility tunnel-mode
or session-based access.
Session-basedaccess
only
TCP-based traffic
Comparing SSL VPN, IPsec VPN, and ZTNA Access (Contd)
IPsec VPNSSL VPNZTNA
Category:Industry standardVendorspecificVendorspecific
Configuration:•Requires installation
•Flexible setup
•Mesh and star topologies
•For clients or peer
gateways
•Performance based: IPsec
encryptographyis faster in
FortiOS
•Does not require installation
•Simpler setup
•Only client-to-FortiGate
•No user-configured
settings
•Technical support less
requested
•Does not require
installation
•Simpler setup
•Only client-to-
FortiGate
•No user-
configured
settings
•Technical support
less requested
Betterfor:Office-to-office traffic
Data centers
Providesflexibility tunnel-mode
or session-based access.
Session-basedaccess
only
TCP-based traffic
57© Fortinet Inc. All Rights Reserved.57© Fortinet Inc. All Rights Reserved.
Moving to ZTNA From SSL VPN
•You can migrate teleworking configurations that use SSL VPN tunnel or web portal mode
access to ZTNA with HTTPS access proxy
Web server &
AD/LDAP serverSSL VPN gateway
100.64.1.253:10443
port3port1
100.64.1.253192.168.20.5
192.168.20.6
SSL VPN Web access:
https://100.64.1.253:10443
Moving to ZTNA From SSL VPN
•You can migrate teleworking configurations that use SSL VPN tunnel or web portal mode
access to ZTNA with HTTPS access proxy
Web server &
AD/LDAP serverSSL VPN gateway
100.64.1.253:10443
port3port1
100.64.1.253192.168.20.5
192.168.20.6
SSL VPN Web access:
https://100.64.1.253:10443
Lesson Progress
58© Fortinet Inc. All Rights Reserved.58© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
SASE Update
58© Fortinet Inc. All Rights Reserved.58© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
SASE Update
59© Fortinet Inc. All Rights Reserved.59© Fortinet Inc. All Rights Reserved.
Convergence of Networking and Security
Security Service
Edge(SSE)SD-WAN
Convergence
with Single-vendor
SASE
Simplicity
Remote workers integration
One vendor
•Reduced complexity
eliminating multiple products
•Efficient operations
with single agent
•Cost savings from product
and vendor reduction
Single-vendor
SASEBenefits
Convergence of Networking and Security
Security Service
Edge(SSE)SD-WAN
Convergence
with Single-vendor
SASE
Simplicity
Remote workers integration
One vendor
•Reduced complexity
eliminating multiple products
•Efficient operations
with single agent
•Cost savings from product
and vendor reduction
Single-vendor
SASEBenefits
60© Fortinet Inc. All Rights Reserved.60© Fortinet Inc. All Rights Reserved.
Superior User Experience with
Operational Efficiency
Secure Hybrid Workforce with
Consistent Security
Shift from CAPEX to OPEX
Based model
Fortinet Single-Vendor SASE Approach
FortiSASE: Cloud-DeliveredSecurity &
Networking
Cloud-Delivered Security (SSE)
SWGFWaaSZTNACASBSD-WAN
SD-WAN
Consistent FortiOS with AI/ML Powered Security
Internet
Data Center
Public Cloud
SaaS
Remote Users
Work-from-home
users
Superior User Experience with
Operational Efficiency
Secure Hybrid Workforce with
Consistent Security
Shift from CAPEX to OPEX
Based model
Fortinet Single-Vendor SASE Approach
FortiSASE: Cloud-DeliveredSecurity &
Networking
Cloud-Delivered Security (SSE)
SWGFWaaSZTNACASBSD-WAN
SD-WAN
Consistent FortiOS with AI/ML Powered Security
Internet
Data Center
Public Cloud
SaaS
Remote Users
Work-from-home
users
61© Fortinet Inc. All Rights Reserved.61© Fortinet Inc. All Rights Reserved.
Securing Remote UsersWith FortiSASE
FortiClientFortiClientAgent-less
Data CenterInternetSaaS
Secure Private Access to Corporate Apps
Secure SaaS Access to Cloud apps
Secure Internet Access for Safe browsing
FortiSASE
Cloud-based security
Work from Anywhere
Securing Remote UsersWith FortiSASE
FortiClientFortiClientAgent-less
Data CenterInternetSaaS
Secure Private Access to Corporate Apps
Secure SaaS Access to Cloud apps
Secure Internet Access for Safe browsing
FortiSASE
Cloud-based security
Work from Anywhere
62© Fortinet Inc. All Rights Reserved.62© Fortinet Inc. All Rights Reserved.
FortiSASE
Gartner Recognizes Fortinet as Single
Vendor SASE
FortiSASE
Gartner Recognizes Fortinet as Single
Vendor SASE
63© Fortinet Inc. All Rights Reserved.63© Fortinet Inc. All Rights Reserved.
Secure Edge
Connectivity
1
NGFW
Optimize Application
Experience
2
SD-WAN
Secure Remote
Users
3
SASE
With Fortinet’s convergence of security & networking everywherePragmatic Journey to SASE
Secure Edge
Connectivity
1
NGFW
Optimize Application
Experience
2
SD-WAN
Secure Remote
Users
3
SASE
With Fortinet’s convergence of security & networking everywherePragmatic Journey to SASE
64© Fortinet Inc. All Rights Reserved.64© Fortinet Inc. All Rights Reserved.
Travel Factory
Edge ComputePublic CloudInternetSaaS Data Center
HomeCampusBranch
Segmentation
Intrusion Prevention
(virtual Patching)
Secure Web Gateway (SWG)
Application Security
SSL Inspection
VPN
Phase-1: Secure Connectivity With Network
Firewall
WAN
Travel Factory
Edge ComputePublic CloudInternetSaaS Data Center
HomeCampusBranch
Segmentation
Intrusion Prevention
(virtual Patching)
Secure Web Gateway (SWG)
Application Security
SSL Inspection
VPN
Phase-1: Secure Connectivity With Network
Firewall
WAN
65© Fortinet Inc. All Rights Reserved.65© Fortinet Inc. All Rights Reserved.
Phase-2: Flexible Application Steering With
SD-WAN
Travel Factory
Edge ComputePublic CloudInternetSaaS Data Center
HomeCampusBranch
Dynamic Application Steering
versus steering static routing
Application QOS
High Availability
5G Support
Digital Experience MonitoringSD-WAN
Phase-2: Flexible Application Steering With
SD-WAN
Travel Factory
Edge ComputePublic CloudInternetSaaS Data Center
HomeCampusBranch
Dynamic Application Steering
versus steering static routing
Application QOS
High Availability
5G Support
Digital Experience MonitoringSD-WAN
66© Fortinet Inc. All Rights Reserved.66© Fortinet Inc. All Rights Reserved.
Phase-3: Securely Connect Remote Users
With SSE
Travel Factory
Edge ComputePublic CloudInternetSaaS Data Center
HomeCampusBranch
Remote users connect to the
SASE Cloud
•FWaaS
•SWGaaS
•CASB
SSE becomes part of the
customer
SD-WAN Network
Secure
Services
Edge
SD-WAN
Phase-3: Securely Connect Remote Users
With SSE
Travel Factory
Edge ComputePublic CloudInternetSaaS Data Center
HomeCampusBranch
Remote users connect to the
SASE Cloud
•FWaaS
•SWGaaS
•CASB
SSE becomes part of the
customer
SD-WAN Network
Secure
Services
Edge
SD-WAN
67© Fortinet Inc. All Rights Reserved.67© Fortinet Inc. All Rights Reserved.
Consistent
Web Security
Key Business Outcomes With Fortinet SASE
Consistent
Security Posture
Overcome security gaps &minimizethe attack surface with AI-powered security
Better User
Experience
Operational
Efficiency
Consolidate point products with
Single-Vendor SASE approach
& shift to OPEX based model
Secure Remote Users Intelligent steering and dynamic
routingvia Cloud-Delivered
SD-WAN
Consistent
Web Security
Key Business Outcomes With Fortinet SASE
Consistent
Security Posture
Overcome security gaps &minimizethe attack surface with AI-powered security
Better User
Experience
Operational
Efficiency
Consolidate point products with
Single-Vendor SASE approach
& shift to OPEX based model
Secure Remote Users Intelligent steering and dynamic
routingvia Cloud-Delivered
SD-WAN
Key Use Cases
69© Fortinet Inc. All Rights Reserved.69© Fortinet Inc. All Rights Reserved.
Safe browsing from anywhere
Secure Internet Access for Remote Users
FortiClientFortiClientAgent-less
Content Security
Web Security
Device Security
Internet
FortiSASE
Cloud Managed
Market Leading Security as a Service
Fortinet best-in-class Cloud security powered by
FortiGuard Labs
Deep inspection of end-user activity
Constant inspection of web activity for threats,
even when using secured https access
Malware & Ransomware prevention
Continuously assess the risks and automatically
respond and counterknown and unknown threats
Work from Anywhere
USE CASE 1
Safe browsing from anywhere
Secure Internet Access for Remote Users
FortiClientFortiClientAgent-less
Content Security
Web Security
Device Security
Internet
FortiSASE
Cloud Managed
Market Leading Security as a Service
Fortinet best-in-class Cloud security powered by
FortiGuard Labs
Deep inspection of end-user activity
Constant inspection of web activity for threats,
even when using secured https access
Malware & Ransomware prevention
Continuously assess the risks and automatically
respond and counterknown and unknown threats
Work from Anywhere
USE CASE 1
70© Fortinet Inc. All Rights Reserved.70© Fortinet Inc. All Rights Reserved.
ComprehensiveCloud-Delivered Secure
Internet Access
IP Reputation
Block malicious IP based on reputation aggregated
from global threat sensors
DNS Filtering
Protect against sophisticated threats including
C2, ransomware
Internet Prevention System
Virtual patching and vulnerabilities protection
with real-time signatures
Botnet + C2
Block malicious bots without impacting legitimate
bot activity and reduce reliance of user verification
Video Filtering
Enforce acceptable use policies and regulatory
compliance and increase user productivity
URL Filtering
Prevent unknown zero-day threats in real-time
at scale including known threats
ComprehensiveCloud-Delivered Secure
Internet Access
IP Reputation
Block malicious IP based on reputation aggregated
from global threat sensors
DNS Filtering
Protect against sophisticated threats including
C2, ransomware
Internet Prevention System
Virtual patching and vulnerabilities protection
with real-time signatures
Botnet + C2
Block malicious bots without impacting legitimate
bot activity and reduce reliance of user verification
Video Filtering
Enforce acceptable use policies and regulatory
compliance and increase user productivity
URL Filtering
Prevent unknown zero-day threats in real-time
at scale including known threats
71© Fortinet Inc. All Rights Reserved.71© Fortinet Inc. All Rights Reserved.
Customizable Dashboard for Cloud-Delivered
Security
•Better Threat Protection
•Improved User Experience
BENEFIT
•FortiGuard Security Services
•IPS, Sand-box
•URL and DNS Filtering
•Anti-Malware, DLP
•SSL Inspection
CAPABILITIES
Customizable Dashboard for Cloud-Delivered
Security
•Better Threat Protection
•Improved User Experience
BENEFIT
•FortiGuard Security Services
•IPS, Sand-box
•URL and DNS Filtering
•Anti-Malware, DLP
•SSL Inspection
CAPABILITIES
72© Fortinet Inc. All Rights Reserved.72© Fortinet Inc. All Rights Reserved.
MostFlexible Secure Private Access
Private
Apps Secure corporate app access
FortiClient
ZTNA
Data Center
FortiSASE
Cloud Managed
Work from Anywhere
SD-WAN integration
Superior user experience with full integration with
Fortinet SD-WAN architecture
Highly granular Access Control
Context-based zero-trust access enforcement,
app based and adaptive with AI/ML
Secure Cloud & datacenter access
Anywhere secure access to corporate apps for asset
protection and compliance
USE CASE 2
MostFlexible Secure Private Access
Private
Apps Secure corporate app access
FortiClient
ZTNA
Data Center
FortiSASE
Cloud Managed
Work from Anywhere
SD-WAN integration
Superior user experience with full integration with
Fortinet SD-WAN architecture
Highly granular Access Control
Context-based zero-trust access enforcement,
app based and adaptive with AI/ML
Secure Cloud & datacenter access
Anywhere secure access to corporate apps for asset
protection and compliance
USE CASE 2
73© Fortinet Inc. All Rights Reserved.73© Fortinet Inc. All Rights Reserved.
Secure Private Access With Natively
Integrated ZTNA
Enabling Universal ZTNA
Deviceattributes, userinfo, security
posturebased security
Granularper-session posture checks
Cloud provisioned ZTNA connections
Continuousposture re-assessment
Public
Cloud Apps
Data Center
Fortinet PoP
Remote
Private Access
Private Access
User Telemetry
ZTNA App
Gateway
ZTNA App
Gateway
Secure Private Access With Natively
Integrated ZTNA
Enabling Universal ZTNA
Deviceattributes, userinfo, security
posturebased security
Granularper-session posture checks
Cloud provisioned ZTNA connections
Continuousposture re-assessment
Public
Cloud Apps
Data Center
Fortinet PoP
Remote
Private Access
Private Access
User Telemetry
ZTNA App
Gateway
ZTNA App
Gateway
74© Fortinet Inc. All Rights Reserved.74© Fortinet Inc. All Rights Reserved.
Cloud-delivered SD-WAN Integration With
SSE
SD-WAN Private Access
Intelligent routing & steering
Broaderapp support(UDP-based
VoIP, video, UC)
Augment to existingSD-WAN
Public
Cloud Apps
Data Center
FortiSASE
Remote
Private Access Private Access
User Telemetry
SD-WAN Hub
SD-WAN Hub
Cloud-delivered SD-WAN Integration With
SSE
SD-WAN Private Access
Intelligent routing & steering
Broaderapp support(UDP-based
VoIP, video, UC)
Augment to existingSD-WAN
Public
Cloud Apps
Data Center
FortiSASE
Remote
Private Access Private Access
User Telemetry
SD-WAN Hub
SD-WAN Hub
75© Fortinet Inc. All Rights Reserved.75© Fortinet Inc. All Rights Reserved.
•Broader application access
including UDP(VOIP/Video)
•Superior User Experience
•Seamless connectivity
without infra upgrades
BENEFIT
•Dual SD-WAN Hub Connectivity
•Intelligent Steering
•Dynamic Routing
CAPABILITIES
Secure Private Access With SD-WAN/NGFW
Networks
•Broader application access
including UDP(VOIP/Video)
•Superior User Experience
•Seamless connectivity
without infra upgrades
BENEFIT
•Dual SD-WAN Hub Connectivity
•Intelligent Steering
•Dynamic Routing
CAPABILITIES
Secure Private Access With SD-WAN/NGFW
Networks
76© Fortinet Inc. All Rights Reserved.76© Fortinet Inc. All Rights Reserved.
Secure SaaS Access for Visibility & Control
Secure Access to Cloud apps & files
FortiClient
Sanctioned AppsUnsanctioned Apps
API-based
CASB
FortiSASE
Cloud Managed
Deep control & view of apps content
Control over app content and files with API-based
CASB for enhanced security and threat detection
Cloud App Access Control
Safe Cloud Application access and blocking of
malicious apps with in-line CASB feature
Unified agent for anywhere detection
FortiClient Agent covers all the use-cases from SASE,
Zero-trust, SaaS security, and End-Point Protection
USE CASE 3
Secure SaaS Access for Visibility & Control
Secure Access to Cloud apps & files
FortiClient
Sanctioned AppsUnsanctioned Apps
API-based
CASB
FortiSASE
Cloud Managed
Deep control & view of apps content
Control over app content and files with API-based
CASB for enhanced security and threat detection
Cloud App Access Control
Safe Cloud Application access and blocking of
malicious apps with in-line CASB feature
Unified agent for anywhere detection
FortiClient Agent covers all the use-cases from SASE,
Zero-trust, SaaS security, and End-Point Protection
USE CASE 3
77© Fortinet Inc. All Rights Reserved.77© Fortinet Inc. All Rights Reserved.
Fortinet Next Generation CASB
NEXT GENERATION CASBAPI BASED INLINE CASB
Agentless
deployment
Visibility to BYOD /
Unmanaged location &
devices
Integration with
Applications using
API Connector
Part of SASE Solution
Part of SASE Licensing
Managed & Unmanaged location with the help of FortiClient
Dual Mode
CASB
Data SecurityVisibility
CompliancesThreat Protection FortiClient performs posture assessment, visibility and
protection forcloud applications
Visibility & ComplianceVisibility & Remediation
Fortinet Next Generation CASB
NEXT GENERATION CASBAPI BASED INLINE CASB
Agentless
deployment
Visibility to BYOD /
Unmanaged location &
devices
Integration with
Applications using
API Connector
Part of SASE Solution
Part of SASE Licensing
Managed & Unmanaged location with the help of FortiClient
Dual Mode
CASB
Data SecurityVisibility
CompliancesThreat Protection FortiClient performs posture assessment, visibility and
protection forcloud applications
Visibility & ComplianceVisibility & Remediation
78© Fortinet Inc. All Rights Reserved.78© Fortinet Inc. All Rights Reserved.
Pre-Generated &
On-Demand Reports
•Application:
•Application Risk Control
•Bandwidth Application Usage
•Security
•Threat Report
•Web Usage Report
•VPN Report
Logging & Events
•Security Logs
•User Events
•Endpoint Events
•VPN Events
Efficient Troubleshooting With Granular
Logging & Events
Pre-Generated &
On-Demand Reports
•Application:
•Application Risk Control
•Bandwidth Application Usage
•Security
•Threat Report
•Web Usage Report
•VPN Report
Logging & Events
•Security Logs
•User Events
•Endpoint Events
•VPN Events
Efficient Troubleshooting With Granular
Logging & Events
79© Fortinet Inc. All Rights Reserved.79© Fortinet Inc. All Rights Reserved.
Prisma Access
•Separate agents (Global Protect & Cortex XDR) required forendpoint
security and traffic redirection
•Lacks secure automatic tunnel functionality for ZTNA privateapplication
access
•3x longer time to value than FortiSASE
•All security services are not available at each
Prisma Access compute locations
Zscaler
•Low security efficacy;lacks 3rdparty validation
•Traffic redirection agent cannot function as EPP;
need partnership withother vendors for endpoint security and SD-WAN
•App connector performance limited to 1Gbps
•2x longer time to value than FortiSASE
Netskope
•Cloud Firewall inspection limited for web traffic ONLY
•Netskope client-connector is a mere traffic redirection
agent and doesn’t offer end point protection
•Limited ZTNAposture and compliance checks for secure
private application access
•Need 3rdparty partnership for SD-WAN (Infiotacquisition not mature )
Cato Networks
•Relies on 3rdparty security services including URL filtering,
advanced threat protection
•Needpartnership withother vendors for endpoint security
•Security efficacy not validated by 3rdparty
•Primarily positioned from Mid-Market and sown market only
Competitive Landscape
Prisma Access
•Separate agents (Global Protect & Cortex XDR) required forendpoint
security and traffic redirection
•Lacks secure automatic tunnel functionality for ZTNA privateapplication
access
•3x longer time to value than FortiSASE
•All security services are not available at each
Prisma Access compute locations
Zscaler
•Low security efficacy;lacks 3rdparty validation
•Traffic redirection agent cannot function as EPP;
need partnership withother vendors for endpoint security and SD-WAN
•App connector performance limited to 1Gbps
•2x longer time to value than FortiSASE
Netskope
•Cloud Firewall inspection limited for web traffic ONLY
•Netskope client-connector is a mere traffic redirection
agent and doesn’t offer end point protection
•Limited ZTNAposture and compliance checks for secure
private application access
•Need 3rdparty partnership for SD-WAN (Infiotacquisition not mature )
Cato Networks
•Relies on 3rdparty security services including URL filtering,
advanced threat protection
•Needpartnership withother vendors for endpoint security
•Security efficacy not validated by 3rdparty
•Primarily positioned from Mid-Market and sown market only
Competitive Landscape
80© Fortinet Inc. All Rights Reserved.80© Fortinet Inc. All Rights Reserved.
Delivering consistent security and superior user experience for users everywhere Trusted by Large Organizations Globally
WHY FORTINET:
•Consistent web security for students both on-campus & off-campus
•Protect existing investment and allowing futureproofing
•Superior User Experience and operational efficiency
•Deep SSL inspection without compromising on performance
FORTINET SOLUTION:
•FortiSASE
•Secure SD-WAN
•FortiGuard AI-Powered Security Services
Key Customer Benefits:
•Secure remote learning
•Superior Video and VOIP
experience
•Shift to OPEX based
business model 10,000+ Students
500+ Instructors
University in North America
Delivering consistent security and superior user experience for users everywhere Trusted by Large Organizations Globally
WHY FORTINET:
•Consistent web security for students both on-campus & off-campus
•Protect existing investment and allowing futureproofing
•Superior User Experience and operational efficiency
•Deep SSL inspection without compromising on performance
FORTINET SOLUTION:
•FortiSASE
•Secure SD-WAN
•FortiGuard AI-Powered Security Services
Key Customer Benefits:
•Secure remote learning
•Superior Video and VOIP
experience
•Shift to OPEX based
business model 10,000+ Students
500+ Instructors
University in North America
81© Fortinet Inc. All Rights Reserved.81© Fortinet Inc. All Rights Reserved.
•Single Agent for multiple use cases
•Deployment simplification with SD-WAN integration
•Best-in-class security everywhere
•Simple Management & Licensing
Fast, secure and scalable security for the hybrid workforceThe Fortinet Advantage
Secure
Users
Endpoints
Applications
Scalable
High performance
Low Latency
Global Peering
Simple
Integration
Management
Troubleshooting
•Single Agent for multiple use cases
•Deployment simplification with SD-WAN integration
•Best-in-class security everywhere
•Simple Management & Licensing
Fast, secure and scalable security for the hybrid workforceThe Fortinet Advantage
Secure
Users
Endpoints
Applications
Scalable
High performance
Low Latency
Global Peering
Simple
Integration
Management
Troubleshooting
82
Objectives
82
Objectives
ANEX
•ZTNA Troubleshooting and Debugging
Objectives
82
Objectives
ANEX
•ZTNA Troubleshooting and Debugging
83© Fortinet Inc. All Rights Reserved.83© Fortinet Inc. All Rights Reserved.
ZTNA Troubleshooting and Debugging
•Use these CLI commands to troubleshoot ZTNA issues on FortiGate:
Command Description
diagnose endpoint fctemstestconnectivity
<EMS name>
Verify FortiGate to FortiClient EMS connectivity
execute fctemsverify <EMS name>Verify the FortiClient EMS certificate
diagnose test application fcnacd2Dump the EMS connectivity information
diagnose debug app fcnacd-1
diagnose debug enable
Run real-time FortiClient NAC daemon debugs
diagnose endpoint record list <ip>Show the endpoint record list. Optionally, filter by the
endpoint IP address
diagnose endpoint wad-commfind-by uid<uid>Query endpoints by client UID
diagnose endpoint wad-commfind-by ip-vdom
<ip> <vdom>
Query endpoints by the client IP-VDOM pair
diagnose wad dev query-by uid<uid>Query from WAD diagnose command by UID
diagnose wad dev query-by ipv4 <ip>Query from WAD diagnose command by IPaddress
ZTNA Troubleshooting and Debugging
•Use these CLI commands to troubleshoot ZTNA issues on FortiGate:
Command Description
diagnose endpoint fctemstestconnectivity
<EMS name>
Verify FortiGate to FortiClient EMS connectivity
execute fctemsverify <EMS name>Verify the FortiClient EMS certificate
diagnose test application fcnacd2Dump the EMS connectivity information
diagnose debug app fcnacd-1
diagnose debug enable
Run real-time FortiClient NAC daemon debugs
diagnose endpoint record list <ip>Show the endpoint record list. Optionally, filter by the
endpoint IP address
diagnose endpoint wad-commfind-by uid<uid>Query endpoints by client UID
diagnose endpoint wad-commfind-by ip-vdom
<ip> <vdom>
Query endpoints by the client IP-VDOM pair
diagnose wad dev query-by uid<uid>Query from WAD diagnose command by UID
diagnose wad dev query-by ipv4 <ip>Query from WAD diagnose command by IPaddress
84© Fortinet Inc. All Rights Reserved.84© Fortinet Inc. All Rights Reserved.
ZTNA Troubleshooting and Debugging (Contd)
•WAD daemon handles proxy
•FortiClient NAC daemon (fcnacd) handles connectivity between FortiGate and
FortiClient EMS
Command Description
diagnose firewall dynamic listList EMS ZTNA tags and all dynamic IP and MAC
addresses
diagnose test application fcnacd7
diagnose test application fcnacd8
Check the FortiClient NAC daemon ZTNA and route
cache
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose debug enable
Run real-time WAD debugs
diagnose debug resetReset debugs when completed
ZTNA Troubleshooting and Debugging (Contd)
•WAD daemon handles proxy
•FortiClient NAC daemon (fcnacd) handles connectivity between FortiGate and
FortiClient EMS
Command Description
diagnose firewall dynamic listList EMS ZTNA tags and all dynamic IP and MAC
addresses
diagnose test application fcnacd7
diagnose test application fcnacd8
Check the FortiClient NAC daemon ZTNA and route
cache
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose debug enable
Run real-time WAD debugs
diagnose debug resetReset debugs when completed
85© Fortinet Inc. All Rights Reserved.85© Fortinet Inc. All Rights Reserved.
ZTNA Troubleshooting and Debugging (Contd)
•To verify FortiGate to FortiClient EMS connectivity and EMS certificate:
# diagnose endpoint fctemstest-connectivity WIN10-EMS
Connection test was successful:
# execute fctemsverify WIN10-EMS
Server certificate already verified
# diagnose test application fcnacd2
EMS context status:
FortiClient EMS number 1:
name: WIN10-EMS confirmed: yes
fetched-serial-number: FCTEMS0000109188
Websocketstatus: connected
•If fcnacddoes not report correct status, run real-time debugs:
# diagnose debug application fcnacd-1
# diagnose debug enable
Verifying connection
between FortiGate and
FortiClient EMS
Verifying FortiClient EMS
server certificate
Shows FortiClient EMS
connectivity information
ZTNA Troubleshooting and Debugging (Contd)
•To verify FortiGate to FortiClient EMS connectivity and EMS certificate:
# diagnose endpoint fctemstest-connectivity WIN10-EMS
Connection test was successful:
# execute fctemsverify WIN10-EMS
Server certificate already verified
# diagnose test application fcnacd2
EMS context status:
FortiClient EMS number 1:
name: WIN10-EMS confirmed: yes
fetched-serial-number: FCTEMS0000109188
Websocketstatus: connected
•If fcnacddoes not report correct status, run real-time debugs:
# diagnose debug application fcnacd-1
# diagnose debug enable
Verifying connection
between FortiGate and
FortiClient EMS
Verifying FortiClient EMS
server certificate
Shows FortiClient EMS
connectivity information
86© Fortinet Inc. All Rights Reserved.86© Fortinet Inc. All Rights Reserved.
ZTNA Troubleshooting and Debugging (Contd)
•To verify information about an endpoint:
# diagnose endpoint record list 10.6.30.214
Record #1:
IP Address = 10.6.30.214
MAC Address = 00:0c:29:ba:1e:61
MAC list = 00:0c:29:ba:1e:61;00:0c:29:ba:1e:6b;
VDOM = root (0)
EMS serial number: FCTEMS8821001322
Client cert SN: 17FF6595600A1AF53B87627AB4EBEDD032593E64
Quarantined: no
Online status: online
Registration status: registered
On-net status: on-net
Gateway Interface: port2
FortiClient version: 7.0.0
AVDB version: 84.778
FortiClient app signature version: 18.43
FortiClient vulnerability scan engine version: 2.30
FortiClient UID: 5FCFA3ECDE4D478C911D9232EC9299FD
Host Name: ADPC
…
Number of Routes: (1)
Gateway Route #0:
-IP:10.1.100.214, MAC: 00:0c:29:ba:1e:6b,
Indirect: no
-Interface:port2, VFID:0, SN: FG5H1E5819902474
online records: 1; offline records: 0; quarantined records: 0
The CLI command
output
ZTNA Troubleshooting and Debugging (Contd)
•To verify information about an endpoint:
# diagnose endpoint record list 10.6.30.214
Record #1:
IP Address = 10.6.30.214
MAC Address = 00:0c:29:ba:1e:61
MAC list = 00:0c:29:ba:1e:61;00:0c:29:ba:1e:6b;
VDOM = root (0)
EMS serial number: FCTEMS8821001322
Client cert SN: 17FF6595600A1AF53B87627AB4EBEDD032593E64
Quarantined: no
Online status: online
Registration status: registered
On-net status: on-net
Gateway Interface: port2
FortiClient version: 7.0.0
AVDB version: 84.778
FortiClient app signature version: 18.43
FortiClient vulnerability scan engine version: 2.30
FortiClient UID: 5FCFA3ECDE4D478C911D9232EC9299FD
Host Name: ADPC
…
Number of Routes: (1)
Gateway Route #0:
-IP:10.1.100.214, MAC: 00:0c:29:ba:1e:6b,
Indirect: no
-Interface:port2, VFID:0, SN: FG5H1E5819902474
online records: 1; offline records: 0; quarantined records: 0
The CLI command
output
87© Fortinet Inc. All Rights Reserved.87© Fortinet Inc. All Rights Reserved.
ZTNA Troubleshooting and Debugging (Contd)
•To query endpoint information, including ZTNA tags, by UID or IP address:
# diagnose endpoint wad-commfind-by uid5FCFA3ECDE4D478C911D9232EC9299FD
UID: 5FCFA3ECDE4D478C911D9232EC9299FD
status code:ok
Domain: qa.wangd.com
User: user1
Cert SN:17FF6595600A1AF53B87627AB4EBEDD032593E64
EMS SN: FCTEMS8821001322
Routes(1):
-route[0]: IP=10.1.100.214, VDom=root
Tags(3):
-tag[0]: name=ZT_OS_WIN
-tag[1]: name=all_registered_clients
-tag[2]: name=Medium
# diagnose endpoint wad-commfind-by ip-vdom10.1.100.214 root
UID: 5FCFA3ECDE4D478C911D9232EC9299FD
status code:ok
Domain: qa.wangd.com
User: user1
Cert SN:17FF6595600A1AF53B87627AB4EBEDD032593E64
EMS SN: FCTEMS8821001322
Routes(1):
-route[0]: IP=10.1.100.214, VDom=root
Tags(3):
-tag[0]: name=ZT_OS_WIN
-tag[1]: name=all_registered_clients
-tag[2]: name=Medium
The CLI command
includes ZTNA tags
ZTNA Troubleshooting and Debugging (Contd)
•To query endpoint information, including ZTNA tags, by UID or IP address:
# diagnose endpoint wad-commfind-by uid5FCFA3ECDE4D478C911D9232EC9299FD
UID: 5FCFA3ECDE4D478C911D9232EC9299FD
status code:ok
Domain: qa.wangd.com
User: user1
Cert SN:17FF6595600A1AF53B87627AB4EBEDD032593E64
EMS SN: FCTEMS8821001322
Routes(1):
-route[0]: IP=10.1.100.214, VDom=root
Tags(3):
-tag[0]: name=ZT_OS_WIN
-tag[1]: name=all_registered_clients
-tag[2]: name=Medium
# diagnose endpoint wad-commfind-by ip-vdom10.1.100.214 root
UID: 5FCFA3ECDE4D478C911D9232EC9299FD
status code:ok
Domain: qa.wangd.com
User: user1
Cert SN:17FF6595600A1AF53B87627AB4EBEDD032593E64
EMS SN: FCTEMS8821001322
Routes(1):
-route[0]: IP=10.1.100.214, VDom=root
Tags(3):
-tag[0]: name=ZT_OS_WIN
-tag[1]: name=all_registered_clients
-tag[2]: name=Medium
The CLI command
includes ZTNA tags
88© Fortinet Inc. All Rights Reserved.88© Fortinet Inc. All Rights Reserved.
ZTNA Troubleshooting and Debugging (Contd)
•To query an endpoint information from WAD daemon by UID or IP address:
# diagnose wad dev query-by uid5FCFA3ECDE4D478C911D9232EC9299FD
Attrof type=0, length=32, value(ascii)=5FCFA3ECDE4D478C911D9232EC9299FD
Attrof type=4, length=30, value(ascii)=MAC_FCTEMS8821001322_ZT_OS_WIN
Attrof type=4, length=26, value(ascii)=FCTEMS8821001322_ZT_OS_WIN
Attrof type=4, length=43, value(ascii)=MAC_FCTEMS8821001322_all_registered_clients
Attrof type=4, length=39, value(ascii)=FCTEMS8821001322_all_registered_clients
Attrof type=4, length=27, value(ascii)=MAC_FCTEMS8821001322_Medium
Attrof type=4, length=23, value(ascii)=FCTEMS8821001322_Medium
Attrof type=5, length=18, value(ascii)[email protected]
Attrof type=6, length=40, value(ascii)=17FF6595600A1AF53B87627AB4EBEDD032593E64
# diagnose wad dev query-by ipv4 10.1.100.214
Attrof type=0, length=32, value(ascii)=5FCFA3ECDE4D478C911D9232EC9299FD
Attrof type=4, length=30, value(ascii)=MAC_FCTEMS8821001322_ZT_OS_WIN
Attrof type=4, length=26, value(ascii)=FCTEMS8821001322_ZT_OS_WIN
Attrof type=4, length=43, value(ascii)=MAC_FCTEMS8821001322_all_registered_clients
Attrof type=4, length=39, value(ascii)=FCTEMS8821001322_all_registered_clients
Attrof type=4, length=27, value(ascii)=MAC_FCTEMS8821001322_Medium
Attrof type=4, length=23, value(ascii)=FCTEMS8821001322_Medium
Attrof type=5, length=18, value(ascii)[email protected]
Attrof type=6, length=40, value(ascii)=17FF6595600A1AF53B87627AB4EBEDD032593E64
Endpoint information
from WAD daemon
ZTNA Troubleshooting and Debugging (Contd)
•To query an endpoint information from WAD daemon by UID or IP address:
# diagnose wad dev query-by uid5FCFA3ECDE4D478C911D9232EC9299FD
Attrof type=0, length=32, value(ascii)=5FCFA3ECDE4D478C911D9232EC9299FD
Attrof type=4, length=30, value(ascii)=MAC_FCTEMS8821001322_ZT_OS_WIN
Attrof type=4, length=26, value(ascii)=FCTEMS8821001322_ZT_OS_WIN
Attrof type=4, length=43, value(ascii)=MAC_FCTEMS8821001322_all_registered_clients
Attrof type=4, length=39, value(ascii)=FCTEMS8821001322_all_registered_clients
Attrof type=4, length=27, value(ascii)=MAC_FCTEMS8821001322_Medium
Attrof type=4, length=23, value(ascii)=FCTEMS8821001322_Medium
Attrof type=5, length=18, value(ascii)[email protected]
Attrof type=6, length=40, value(ascii)=17FF6595600A1AF53B87627AB4EBEDD032593E64
# diagnose wad dev query-by ipv4 10.1.100.214
Attrof type=0, length=32, value(ascii)=5FCFA3ECDE4D478C911D9232EC9299FD
Attrof type=4, length=30, value(ascii)=MAC_FCTEMS8821001322_ZT_OS_WIN
Attrof type=4, length=26, value(ascii)=FCTEMS8821001322_ZT_OS_WIN
Attrof type=4, length=43, value(ascii)=MAC_FCTEMS8821001322_all_registered_clients
Attrof type=4, length=39, value(ascii)=FCTEMS8821001322_all_registered_clients
Attrof type=4, length=27, value(ascii)=MAC_FCTEMS8821001322_Medium
Attrof type=4, length=23, value(ascii)=FCTEMS8821001322_Medium
Attrof type=5, length=18, value(ascii)[email protected]
Attrof type=6, length=40, value(ascii)=17FF6595600A1AF53B87627AB4EBEDD032593E64
Endpoint information
from WAD daemon
89© Fortinet Inc. All Rights Reserved.89© Fortinet Inc. All Rights Reserved.
ZTNA Troubleshooting and Debugging (Contd)
•To list all the dynamic ZTNA IP and MAC addresses learned from EMS:
# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0000109188_all_registered_clients: ID(51)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Low: ID(78)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Malicious-File-Detected: ID(190)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
MAC dynamic addresses in VDOM root(vfid: 0):
MAC_FCTEMS0000101875_Low(total-addr: 5): ID(377)
MAC(00:50:56:A1:8A:21)
MAC(00:50:56:A1:1B:15)
MAC_FCTEMS0000101875_all_registered_clients(total-addr: 5): ID(94)
MAC(00:50:56:A1:8A:21)
MAC(00:50:56:A1:1B:15)
Dynamic address and
MAC addresses
ZTNA Troubleshooting and Debugging (Contd)
•To list all the dynamic ZTNA IP and MAC addresses learned from EMS:
# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0000109188_all_registered_clients: ID(51)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Low: ID(78)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
…
FCTEMS0000109188_Malicious-File-Detected: ID(190)
ADDR(172.17.194.209)
ADDR(192.168.40.8)
MAC dynamic addresses in VDOM root(vfid: 0):
MAC_FCTEMS0000101875_Low(total-addr: 5): ID(377)
MAC(00:50:56:A1:8A:21)
MAC(00:50:56:A1:1B:15)
MAC_FCTEMS0000101875_all_registered_clients(total-addr: 5): ID(94)
MAC(00:50:56:A1:8A:21)
MAC(00:50:56:A1:1B:15)
Dynamic address and
MAC addresses
90© Fortinet Inc. All Rights Reserved.90© Fortinet Inc. All Rights Reserved.
ZTNA Troubleshooting and Debugging (Contd)
•To check the FortiClient NAC daemon ZTNA and route cache:
•Use the following commands to troubleshoot WAD with real-time debugs:
# diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable
# diagnose test application fcnacd7
ZTNA Cache:
-uid5FCFA3ECDE4D478C911D9232EC9299FD: { "tags": [ "ZT_OS_WIN",
"all_registered_clients", "Medium" ], "domain": "qa.wangd.com", "user_name":
"user1", "client_cert_sn": "17FF6595600A1AF53B87627AB4EBEDD032593E64", "owner":
"[email protected]", "gateway_route_list": [ { "gateway_info": { "fgt_sn":
"FG5H1E5819902474", "interface": "port2", "vdom": "root" }, "route_info": [ {
"ip": "10.1.100.214", "mac": "00-0c-29-ba-1e-6b", "route_type": "direct" } ] }
], "ems_sn": "FCTEMS8821001322" }
# diagnose test application fcnacd8
IP-VfIDCache:
IP: 10.1.100.206, vfid: 0, uid: 3DED29B54386416E9888F2DCBD2B9D21
IP: 10.1.100.214, vfid: 0, uid: 5FCFA3ECDE4D478C911D9232EC9299FD
Shows ZTNA cache
Shows route cache
ZTNA Troubleshooting and Debugging (Contd)
•To check the FortiClient NAC daemon ZTNA and route cache:
•Use the following commands to troubleshoot WAD with real-time debugs:
# diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable
# diagnose test application fcnacd7
ZTNA Cache:
-uid5FCFA3ECDE4D478C911D9232EC9299FD: { "tags": [ "ZT_OS_WIN",
"all_registered_clients", "Medium" ], "domain": "qa.wangd.com", "user_name":
"user1", "client_cert_sn": "17FF6595600A1AF53B87627AB4EBEDD032593E64", "owner":
"[email protected]", "gateway_route_list": [ { "gateway_info": { "fgt_sn":
"FG5H1E5819902474", "interface": "port2", "vdom": "root" }, "route_info": [ {
"ip": "10.1.100.214", "mac": "00-0c-29-ba-1e-6b", "route_type": "direct" } ] }
], "ems_sn": "FCTEMS8821001322" }
# diagnose test application fcnacd8
IP-VfIDCache:
IP: 10.1.100.206, vfid: 0, uid: 3DED29B54386416E9888F2DCBD2B9D21
IP: 10.1.100.214, vfid: 0, uid: 5FCFA3ECDE4D478C911D9232EC9299FD
Shows ZTNA cache
Shows route cache
91© Fortinet Inc. All Rights Reserved.91© Fortinet Inc. All Rights Reserved.
ZTNA Logging Enhancements
•The ZTNA log subtype is added to UTM logs and a traffic log ID is added for ZTNA
related traffic
•There are six events that generate logs:
date=xxxx-xx-xx time=16:36:54 eventtime=1623281814371412983 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56494 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=21453 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-
5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: empty client certificate"
utmref=65483-0
date=xxxx-xx-xx time=16:36:54 eventtime=1623281814371409480 tz="-0700" logid="2100060500" type="utm"
subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client sends an empty certificate"
policyid=5 sessionid=21453 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56494 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2"
accessproxy="zs2"
Traffic log example of the empty certificate that is disallowed or block:
UTM log example of the empty certificate that is disallowed or block:
ZTNA Logging Enhancements
•The ZTNA log subtype is added to UTM logs and a traffic log ID is added for ZTNA
related traffic
•There are six events that generate logs:
date=xxxx-xx-xx time=16:36:54 eventtime=1623281814371412983 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56494 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=21453 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-
5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: empty client certificate"
utmref=65483-0
date=xxxx-xx-xx time=16:36:54 eventtime=1623281814371409480 tz="-0700" logid="2100060500" type="utm"
subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client sends an empty certificate"
policyid=5 sessionid=21453 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56494 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2"
accessproxy="zs2"
Traffic log example of the empty certificate that is disallowed or block:
UTM log example of the empty certificate that is disallowed or block:
92© Fortinet Inc. All Rights Reserved.92© Fortinet Inc. All Rights Reserved.
ZTNA Logging Enhancements (Contd)
•Received client certificate that fails to validate:
date=xxxx-xx-xx time=15:06:47 eventtime=1623276407372012365 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55910 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=16810 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0
appcat="unscanned" utmaction="block" countztna=1 msg="Denied: client certificate authentication failed"
utmref=65491-0
date=xxxx-xx-xx time=15:06:47 eventtime=1623276407372009447 tz="-0700" logid="2100060501" type="utm"
subtype="ztna" eventtype="ztna-clt-cert"level="warning" vd="root" msg="Client certificate has security problem"
policyid=5 sessionid=16810 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55910 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2"
accessproxy="zs2" desc="cert authfailed, cert-cn:qa.wangd.com, cert-issuer:qa.wangd.com, cert-status:failure"
Traffic log example of the client certificate that fails to validate:
UTM log example of the client certificate that fails to validate:
ZTNA Logging Enhancements (Contd)
•Received client certificate that fails to validate:
date=xxxx-xx-xx time=15:06:47 eventtime=1623276407372012365 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55910 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=16810 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0
appcat="unscanned" utmaction="block" countztna=1 msg="Denied: client certificate authentication failed"
utmref=65491-0
date=xxxx-xx-xx time=15:06:47 eventtime=1623276407372009447 tz="-0700" logid="2100060501" type="utm"
subtype="ztna" eventtype="ztna-clt-cert"level="warning" vd="root" msg="Client certificate has security problem"
policyid=5 sessionid=16810 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55910 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2"
accessproxy="zs2" desc="cert authfailed, cert-cn:qa.wangd.com, cert-issuer:qa.wangd.com, cert-status:failure"
Traffic log example of the client certificate that fails to validate:
UTM log example of the client certificate that fails to validate:
93© Fortinet Inc. All Rights Reserved.93© Fortinet Inc. All Rights Reserved.
ZTNA Logging Enhancements (Contd)
•API gateway cannot be matched or real servers cannot be reached:
date=xxxx-xx-xx time=15:15:39 eventtime=1623276939601849940 tz="-0700" logid="2102060522" type="utm"
subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5
sessionid=17152 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55974 dstport=443 srcintf="port2" srcintfrole="undefined"
dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP
url(https://qbcd.test.com/test123456) failed to match an API-gateway with
vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)""
Traffic log example when API gateway or real server doesn’t match:
UTM log example when API gateway or real server doesn’t match:
date=xxxx-xx-xx time=15:15:39 eventtime=1623276939601851410 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=17152 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0
appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65490-0
ZTNA Logging Enhancements (Contd)
•API gateway cannot be matched or real servers cannot be reached:
date=xxxx-xx-xx time=15:15:39 eventtime=1623276939601849940 tz="-0700" logid="2102060522" type="utm"
subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5
sessionid=17152 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55974 dstport=443 srcintf="port2" srcintfrole="undefined"
dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP
url(https://qbcd.test.com/test123456) failed to match an API-gateway with
vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)""
Traffic log example when API gateway or real server doesn’t match:
UTM log example when API gateway or real server doesn’t match:
date=xxxx-xx-xx time=15:15:39 eventtime=1623276939601851410 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=17152 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0
appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65490-0
94© Fortinet Inc. All Rights Reserved.94© Fortinet Inc. All Rights Reserved.
ZTNA Logging Enhancements (Contd)
•ZTNA rule (proxy policy) cannot be matched:
date=xxxx-xx-xx time=15:20:20 eventtime=1623277220133106783 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56010 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=17456 proto=6 action="deny" policyid=0 policytype="proxy-policy" service="HTTPS" trandisp="noop" duration=0
sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to
match a proxy-policy"utmref=65488-26
date=xxxx-xx-xx time=15:20:20 eventtime=1623277220133105204 tz="-0700" logid="2101060510" type="utm"
subtype="ztna" eventtype="ztna-policy-match"level="warning" vd="root" msg="Connection is blocked due to unable
to match a proxy-policy"policyid=0 sessionid=17456 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56010 dstport=443
srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS"
gatewayid=1 vip="zv2" accessproxy="zs2"
Traffic log example when unable to match ZTNA rule (proxy policy):
UTM log example when unable to match ZTNA rule (proxy policy):
ZTNA Logging Enhancements (Contd)
•ZTNA rule (proxy policy) cannot be matched:
date=xxxx-xx-xx time=15:20:20 eventtime=1623277220133106783 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56010 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=17456 proto=6 action="deny" policyid=0 policytype="proxy-policy" service="HTTPS" trandisp="noop" duration=0
sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to
match a proxy-policy"utmref=65488-26
date=xxxx-xx-xx time=15:20:20 eventtime=1623277220133105204 tz="-0700" logid="2101060510" type="utm"
subtype="ztna" eventtype="ztna-policy-match"level="warning" vd="root" msg="Connection is blocked due to unable
to match a proxy-policy"policyid=0 sessionid=17456 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56010 dstport=443
srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS"
gatewayid=1 vip="zv2" accessproxy="zs2"
Traffic log example when unable to match ZTNA rule (proxy policy):
UTM log example when unable to match ZTNA rule (proxy policy):
95© Fortinet Inc. All Rights Reserved.95© Fortinet Inc. All Rights Reserved.
ZTNA Logging Enhancements (Contd)
•HTTPS SNI virtual host does not match the HTTP host header:
date=xxxx-xx-xx time=15:15:39 eventtime=1623276939601851410 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=17152 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0
appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65490-0
date=xxxx-xx-xx time=15:24:25 eventtime=1623277465275003194 tz="-0700" logid="2102060522" type="utm"
subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5
sessionid=17614 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56040 dstport=443 srcintf="port2" srcintfrole="undefined"
dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP
url(https://aq4.test.com/) failed to match an API-gateway with
vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
Traffic log example when HTTPS SNI doesn’t match HTTP host header:
UTM log example when HTTPS SNI doesn’t match HTTP host header:
ZTNA Logging Enhancements (Contd)
•HTTPS SNI virtual host does not match the HTTP host header:
date=xxxx-xx-xx time=15:15:39 eventtime=1623276939601851410 tz="-0700" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined"
dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved"
sessionid=17152 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5"
policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0
appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65490-0
date=xxxx-xx-xx time=15:24:25 eventtime=1623277465275003194 tz="-0700" logid="2102060522" type="utm"
subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5
sessionid=17614 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56040 dstport=443 srcintf="port2" srcintfrole="undefined"
dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP
url(https://aq4.test.com/) failed to match an API-gateway with
vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
Traffic log example when HTTPS SNI doesn’t match HTTP host header:
UTM log example when HTTPS SNI doesn’t match HTTP host header:
Lesson Progress
96© Fortinet Inc. All Rights Reserved.96© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
ZTNA Troubleshooting and Debugging
96© Fortinet Inc. All Rights Reserved.96© Fortinet Inc. All Rights Reserved.
ZTNA Introduction
Device Identity and Trust
ZTNA Configuration Setups
Comparing ZTNA to SSL and IPSecVPN
ZTNA Troubleshooting and Debugging
97© Fortinet Inc. All Rights Reserved.97© Fortinet Inc. All Rights Reserved.
üUnderstand the benefits of ZTNA
üUnderstand basic ZTNA configuration
üUnderstand ZTNA tagging rules
üManage tags
üUnderstand how to establish device identity and trust
üUnderstand SSL certificate-based authentication
üDiscuss ZTNA configuration setups
üUnderstand the evolution of teleworker remote access with ZTNA
üTroubleshoot and debug ZTNA issues
Review
üUnderstand the benefits of ZTNA
üUnderstand basic ZTNA configuration
üUnderstand ZTNA tagging rules
üManage tags
üUnderstand how to establish device identity and trust
üUnderstand SSL certificate-based authentication
üDiscuss ZTNA configuration setups
üUnderstand the evolution of teleworker remote access with ZTNA
üTroubleshoot and debug ZTNA issues
Review
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 350
- Slides 98
- Age 555 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views