Scribd
Upload
11 views69 pages

Lab Guide

The document is a lab guide for implementing Fortinet's Zero Trust Network Access (ZTNA) solutions, aimed at enhancing secure application access for a hybrid workforce. It covers various topics including endpoint management, identity and access management, and the integration of FortiPAM for privileged access. The guide provides detailed instructions for configuring FortiClient EMS, establishing secure connections, and applying endpoint protection policies to mitigate cybersecurity risks.

Uploaded by

rluisfran25
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views69 pages

Lab Guide

The document is a lab guide for implementing Fortinet's Zero Trust Network Access (ZTNA) solutions, aimed at enhancing secure application access for a hybrid workforce. It covers various topics including endpoint management, identity and access management, and the integration of FortiPAM for privileged access. The guide provides detailed instructions for configuring FortiClient EMS, establishing secure connections, and applying endpoint protection policies to mitigate cybersecurity risks.

Uploaded by

rluisfran25
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

The Evolution of Access to Applications with Fortinet

ZTNA
Lab Guide
FFT-ZTNA-r03-1719510429
Table of contents
1. The Evolution of Access to Applications with Fortinet ZTNA ................................................ 3
1.1. Fast Track Overview .......................................................................................................... 4
1.2. Agenda ................................................................................................................................ 5
1.3. Topology .............................................................................................................................. 6
2. EMS ................................................................................................................................................. 7
2.1. Fabric Integration .............................................................................................................. 8
2.2. On and Off Fabric ............................................................................................................. 10
2.3. Endpoint Protection Profile and Policy ........................................................................ 11
2.4. ZTNA Tags ......................................................................................................................... 14
2.5. FortiClient EPP ................................................................................................................. 16
2.6. Patch Vulnerabilities ....................................................................................................... 18
3. Identity and Access ................................................................................................................... 19
3.1. SAML .................................................................................................................................. 20
4. Full ZTNA ..................................................................................................................................... 23
4.1. ZTNA Authentication ....................................................................................................... 24
4.1. ZTNA HTTPS Application Gateway ................................................................................ 26
4.1.1. ZTNA HTTPS Server/Rule ............................................................................................ 27
4.1.2. Test ZTNA Connection ................................................................................................ 29
4.1.3. Enable Malware Protection ......................................................................................... 31
4.1.4. Demonstrate ZTNA Connectivity ................................................................................ 32
4.2. ZTNA TCP Forwarding ..................................................................................................... 34
4.2.1. Configure ZTNA RDP Server/Rule ............................................................................... 35
4.2.2. Configure EMS ZTNA Destination ............................................................................... 37
4.2.3. Demonstrate ZTNA Connectivity ................................................................................ 39
4.3. On-Net-Worker ................................................................................................................. 41
4.3.1. Test User Access without ZTNA .................................................................................. 42
4.3.2. Configure IP/MAC Based Access Control Policy .......................................................... 43
4.3.3. Demonstrate Dynamic Access Control ....................................................................... 45
5. Traditional VPN and ZTNA ........................................................................................................ 46
5.1. FortiClient IPsec VPN ...................................................................................................... 47
5.1.1. Configure RADIUS Remote User Group ...................................................................... 48
5.1.2. Configure IPsec VPN ................................................................................................... 50
5.1.3. Establish Remote Connection .................................................................................... 54
5.1.4. Secure Access to Corporate Resources ...................................................................... 55
5.2. ZTNA Over VPN ................................................................................................................ 56
5.2.1. IPsec VPN with ZTNA Tags ......................................................................................... 57
5.2.2. Accessing Resources .................................................................................................. 58
6. ZTNA Access to critical asset with FortiPAM ......................................................................... 60
6.1. FortiPAM Proxy Rule and User Setup ........................................................................... 61
6.2. FortiPAM Folder and Secret Setup ............................................................................... 63
6.3. Privileged User Access with ZTNA ................................................................................ 66
7. Conclusion ................................................................................................................................... 68
7.1. Continued Education ....................................................................................................... 69

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 2 of 69 Fortinet Training Institute
1. The Evolution of Access to Applications with Fortinet ZTNA

The Evolution of Access to Applications with Fortinet ZTNA

In response to the evolving work landscape, ACMECorp is transitioning to a hybrid workforce model, emphasizing the
importance of secure access to work applications across various locations to uphold employee productivity. Fortinet
Universal ZTNA plays a critical role in ensuring the secure availability of applications, regardless of whether employees are
working remotely or in the office.

ACMECorp's network administrators are actively implementing a zero-trust access strategy to address risks within the ever-
changing cybersecurity environment. Leveraging Fortinet ZTNA allows ACMECorp to establish a resilient security framework
that caters to diverse user locations, device types, and network complexities.

Through meticulous verification of user identities and device security postures, ZTNA establishes a secure remote access
environment for ACMECorp's employees, partners, and contractors, effectively reducing the risk of security breaches.
Additionally, the deployment of Fortinet ZTNA enables ACMECorp to enforce precise access controls customized to specific
application requirements, ensuring that only authorized individuals can access designated resources. This strategic
alignment not only fortifies security measures but also enhances network visibility, aligning seamlessly with Zero Trust
principles to mitigate security incidents within ACMECorp's network infrastructure.

By participating in this workshop, you will learn how to:

Configure FortiClient Endpoint Management Server (EMS) to extend comprehensive protection to remote users including
vulnerabilities scans using FortiClient Endpoint Protection Platform (EPP).

Set up Dial-Up VPN connections and demonstrate secure access to internal resources.

Implement Security Assertion Markup Language (SAML) for enhanced security when accessing resources.

Deploy Zero Trust Network Access (ZTNA) by configuring tags, ZTNA server, rules, and full-mode ZTNA policy for context-
based posture checks, ensuring secure application access.

Configure FortiPAM to cater to Corporate administrators necessitating elevated privileges for network management tasks.

Tasks

1. From the Lab Activity: ZTNA tab, Click to start lab.

2. The blue button at the top of this page is the primary action button. When there is an action that
can be completed on the page, this button will change accordingly.

When ready, click the blue Continue button in the menu at the top of the page to get started.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 3 of 69 Fortinet Training Institute
1.1. Fast Track Overview

Fast Tracks are a free instructor-led hands-on workshop that introduce Fortinet solutions for securing your digital
infrastructure. These workshops are only an introduction to what Fortinet security solutions can do for your organization.

For more in-depth training, we encourage you to investigate our full portfolio of NSE training courses at
https://training.fortinet.com.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 4 of 69 Fortinet Training Institute
1.2. Agenda

Agenda

In the case of this workshop, the exercises are organized as below:

Section Topic Time Prerequisite Mandatory


2 EMS 20 Minutes - Yes
3 Identity and Access (SAML) 15 Minutes 2 Yes
4 Full ZTNA 45 Minutes 3 Yes
5 Traditional VPN and ZTNA 20 Minutes 2 No
6 ZTNA Access to critical asset with FortiPAM 20 Minutes - No

Tasks

Click Continue to move to the next page.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 5 of 69 Fortinet Training Institute
1.3. Topology

Topology

Tasks

Click Continue to move to the next page.

This will be the last time we specifically state to click on the Continue button, from now on it is assumed that the user
understands how to move forward.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 6 of 69 Fortinet Training Institute
2. EMS
Introduction

The recent security breach at AcmeCorp underscores the critical importance of robust endpoint management and security
solutions. An employee's inadvertent click on a phishing email led to the installation of malicious software, compromising
sensitive company data and the integrity of AcmeCorp's network. Had AcmeCorp implemented FortiClient EMS and an
Endpoint Protection Platform (EPP) with vulnerability scanning capabilities, they could have conducted regular scans to
identify and patch vulnerabilities in their endpoints, significantly reducing the risk of such breaches. With FortiClient EMS,
AcmeCorp gains centralized visibility and control over remote devices, empowering IT administrators to enforce security
policies, deploy updates, and monitor compliance across their distributed work environment. This strategic adoption of
FortiClient EMS reinforces AcmeCorp's commitment to enhancing endpoint management and security, thereby better
supporting the evolving needs of its remote workforce.

In this section, we'll tackle the comprehensive setup of endpoint management and security. First, we'll configure the EMS
fabric connector, seamlessly integrating it with our network fabric. Next, we'll establish on and off-fabric detection rules,
ensuring precise endpoint tracking. After that, we'll create different profiles for devices based on what they are and who
uses them.At the same time, we'll focus on strengthening FortiClient EPP on every device. And, we'll ensure ongoing safety
by regularly updating devices with the latest patches. This approach keeps everything secure and well-organized.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 7 of 69 Fortinet Training Institute
2.1. Fabric Integration

Background

EMS connects to the FortiGate to participate in the Security Fabric. EMS sends FortiClient endpoint information to the
FortiGate. The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall
policies. EMS sends group updates to FortiGate, and FortiGate uses the updates to adjust the policies based on those groups.
Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks.
FortiClient ZTNA agent is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.

Tasks

Configure EMS Fabric Connector

1. From the Lab Activity: ZTNA tab, access FGT-EDGE using the HTTPS option:

Username: admin Password: Fortinet1!

2. Click Security Fabric > Fabric Connectors.

3. Under Core Network Security Connectors, click FortiClient EMS and Edit.

4. Under FortiClient EMS 1 Settings, set status to Enabled and use the following information:

Set Name : EMS

Set IP/Domain name : 172.16.100.125

5. Click OK.

6. A Verify EMS Server Certificate window will appear. Click Accept

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 8 of 69 Fortinet Training Institute
7. Click Close.

Authorize FortiGate on EMS

1. From the Lab Activity: ZTNA tab, access FortiClient EMS using the HTTPS option:

Username: admin Password: Fortinet1!

2. A Fabric Device Authorization Request window with FGT-Edge, FGT-DC, and FGT-ISFW Serial Number will pop up,
and click View Details.

Note: Press F5 to refresh the browser tab until you see requests for FGT-EDGE, FGT-DC, and FGT-ISFW.

3. Select (FGVM1TM19002139) and click Authorize

4. Similarly, select (FGVM01TM19002140) and click Authorize, and do the same for (FGVM01TM19002141).

Note: FortiGate-Edge, FortiGate-DC, and FortiGate-ISFW are part of the same Security Fabric group and are now
authorized on the FortiClient EMS Fabric device.

Verify EMS Server Fabric Connection Status

1. From the Lab Activity: ZTNA tab, access FGT-ISFW using the HTTPS option:

Username: admin Password: Fortinet1!

2. Click Security Fabric > Fabric Connectors.

3. FortiClient EMS Fabric Connector shows connected.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 9 of 69 Fortinet Training Institute
2.2. On and Off Fabric

Background

FortiClient Endpoint Management Server (EMS) offers the On-Fabric Detection feature, which allows organizations to define
and enforce network access rules based on the fabric status of endpoints. With On-Fabric Detection rules, FortiClient EMS
can dynamically adapt security policies based on whether an endpoint is connected to the corporate network or operating
off-network. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured
in the applied endpoint policy.

Tasks

To view an On-fabric detection rule set:

1. On FortiClient EMS, go to Endpoint Policy & Components > On-fabric Detection Rules.

Note: you will see two On-Fabric Rule Sets pre-configured. These are the two local networks behind the FGT-ISFW.

2. Select the rule set On-Net-UserNet-1-172.16.10.0/24

3. Click Edit and review the rule.

4. Click Rule Type: Local IP/Subnet

5. Click Edit Rule.

6. Review the Rule and Click Cancel.

7. Click Cancel again.

8. Select the rule set On-Net-UserNet-2-172.16.20.0/24 and review the Rule.

9. Click Cancel.

Note: 172.16.10.0/24 is Internal User-Network-1, 172.16.20.0/24 is Internal User-Network2, both are behind FGT-ISFW.
Any FortiClient endpoint that belongs to this network will be considered as On-Net.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 10 of 69 Fortinet Training Institute
2.3. Endpoint Protection Profile and Policy

Background

EMS allows admins to update profiles for endpoint users regardless of access location, such as administering antivirus, web
filtering, VPN, and signature updates. Endpoint policies make it simpler to provision endpoints. You can now create and
manage endpoint policies to assign profiles and Telemetry gateway lists to domains, OUs, and workgroups. In this lab, you
will configure endpoint protection profile and policy on EMS.

Tasks

Configure Endpoint Protection Profiles

1. On FortiClient EMS, click Endpoint Profiles > Malware Protection.

2. Click +Add.

3. Enter Name: ZTNA-EPP

Note: Do NOT turn on AntiVirus Protection yet.

4. Click Save.

5. Click Endpoint Profiles >Remote Access

6. Click +Add

7. Enter Name: ZTNA-EPP

8. Click Save

9. Click Endpoint Profiles >Vulnerability Scan

10. Click +Add

11. Enter Name: ZTNA-EPP

12. Enable Scan on Registration

13. Click Save

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 11 of 69 Fortinet Training Institute
14. Under Endpoint Profiles, click System Settings.

15. Click +Add

16. Enter Name: ZTNA-EPP

17. Click Advanced.

18. Under UI, turn ON Show Zero Trust Tag on FortiClient GUI.

19. Click Save.

Configure Endpoint Protection Policy

1. Click Endpoint Policy & Components > Manage Policies

2. Click +Add and use the following information:

Endpoint Policy Name: ZTNA Policy

Endpoint groups: Click Edit > Checkmark acmecorp and All Groups

Click Save

Note: The acmecorp.net domain has been pre-configured and added to FortiClient EMS under Endpoints > Domains.

Profile (Off-Fabric): Turn ON

On the right-hand side, assign the ZTNA-EPP profile to the following features:

VPN: ZTNA-EPP

VULN: ZTNA-EPP

MW: ZTNA-EPP

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 12 of 69 Fortinet Training Institute
SYS: ZTNA-EPP

Note: The profile on the right side is applied when the endpoint is Off-network.

On-Fabric Detection Rules: Select On-Net-UserNet-1-172.16.10.0/24 & On-Net-UserNet-2-172.16.20.0/24.

Note: These are the On-Fabric Detection Rules that you reviewed in the previous objective. If FortiClient endpoint
belong to any of the above networks it will be considered On-Fabric and the rules on the left side will be appllied. The
rules on the right side will be applied to Off-Fabric endpoints.

Enable the Policy: Turn ON

3. Click Save

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 13 of 69 Fortinet Training Institute
2.4. ZTNA Tags

Background

EMS allows admins to create Zero Trust tagging rules for Windows, macOS, Linux, iOS, and Android endpoints based on their
OS versions, logged in domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints.By
assigning Zero Trust tags to endpoints, organizations can ensure that access controls and security policies are enforced
consistently across the network, regardless of the endpoint's location or connectivity status.

Tasks

Configure Zero Trust Tagging Rule

Rule #1: AV Enabled ZTNA Tag Rule

1. On FortiClient EMS, click Zero Trust Tags > Zero Trust Tagging Rules.

2. Click +Add and use the following information.

Name: AntiVirus

Tag Endpoint As : AV_Enabled_Tag (Type in the name and press ENTER to save the tag)

3. Click +Add Rule and use the following information:

OS: Windows

Rule Type: AntiVirus Software

AV Software: AV Software is installed and running

4. Click Save.

5. Click Save again

Note: This rule will tag the endpoints devices running an antivirus software.

Rule 2: Windows OS v2016 ZTNA Tag Rule

1. On FortiClient EMS, click Zero Trust Tags > Zero Trust Tagging Rules.

2. Click +Add and use the following information.

Name: Windows_2016

Tag Endpoint As : WIN_2016 (Type in the name and Press ENTER to save the tag)

3. Click +Add Rule and use the following information:

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 14 of 69 Fortinet Training Institute
OS: Windows

Rule Type: OS Version

OS Version: Windows Server 2016

4. Click Save.

5. Click Save again.

Note: This rule will tag the endpoints devices running windows 2016

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 15 of 69 Fortinet Training Institute
2.5. FortiClient EPP

Background

AcmeCorp, utilizes FortiClient Endpoint Protection Platform (EPP) as a vulnerability scanner to enhance its cybersecurity
defenses.The vulnerability scanning feature of FortiClient EPP helps AcmeCorp's IT team to detect software vulnerabilities,
system misconfigurations and other security gaps that could be exploited by cyber threats. By leveraging FortiClient EPP as
a vulnerability scanner, AcmeCorp strengthens its overall security posture and ensures the protection of its sensitive data
and network resources.

Tasks

Register FortiClient and Scan Vulnerabities

1. From the Lab Activity: ZTNA tab, Access Carol's machine using the RDP option

2. Open the FortiClient console on the desktop.

3. Click Zero Trust Telemetry. Enter Server Address 100.65.0.101 and click Connect

4. Click Accept on the Invalid certificate detected window.

Note: Within a few seconds, FortiClient Fabric Agent would sync with the EMS server via Telemetry
and start receiving configuration updates. This EMS synchronization enables protection profiles such
as Malware Protection, Remote Access, Vulnerability Scan, etc.

5. Click VULNERABILITY SCAN

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 16 of 69 Fortinet Training Institute
Note: The vulnerability scan will take approximately 2-3 minutes, please wait.

6. Click CRITICAL under Vulnerabilities Detected

7. Expand the Browser section.

8. You will see Firefox 80.0.0.7535 (23) detected as Critical vulnerability.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 17 of 69 Fortinet Training Institute
2.6. Patch Vulnerabilities

Background

ACMECorp's IT team diligently patches vulnerabilities to strengthen the organization's security measures. By promptly
addressing and applying patches to known vulnerabilities, ACMECorp reduces the risk of exploitation and potential security
breaches. This proactive approach to patch management helps maintain a robust and secure IT environment, safeguarding
the company's systems and data from cyber threats.

Tasks

Patch Vulnerability

1. On FortiClient EMS, click Endpoints > All Endpoints

2. Select Carol-WIN-2016

3. Click Patch

4. Click All Critical and High Vulnerabilities

Note: The vulnerability patch will require some time, please wait.

View Results

1. On Carol machine, open the FortiClient console on the desktop.

2. Click VULNERABILITY SCAN

3. Under Vulnerabilities Detected, click 0 CRITICAL vulnerability

4. Expand the Browser, you will have 0 vulnerabilities.

Note: In some cases, certain vulnerabilities identified in Fortinet's Endpoint Protection Platform (EPP) may require manual
patching by ACMECorp's IT team. These vulnerabilities may be more complex or specific, necessitating a hands-on
approach to ensure proper remediation.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 18 of 69 Fortinet Training Institute
3. Identity and Access
Background

AcmeCorp, a leading organization in the digital landscape, recognizes the critical need for managing employee access to
various systems and applications. As AcmeCorp has a large and diverse workforce with employees across different
departments and roles, IAM plays a crucial role in ensuring that each employee has the appropriate level of access to the
resources they need to perform their job effectively while maintaining security and compliance.

Security Assertion Markup Language (SAML) in AcmeCorp organization is for enabling secure single sign-on (SSO) for
employees accessing various cloud-based applications and services. By implementing SAML, AcmeCorp can establish a trust
relationship between its identity provider (such as Active Directory) and the service providers (cloud applications) used by
employees. When an employee attempts to access a cloud application, the identity provider generates a SAML assertion
containing the user's identity information and sends it to the service provider. The service provider then validates the SAML
assertion and grants access to the employee without requiring them to enter separate login credentials.

In this section, you will configure SAML for AcmeCorp organization to simplify the user authentication process, enhance
security by reducing the risk of password-related vulnerabilities, and improve overall user experience by eliminating the
need to manage multiple sets of credentials for different applications.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 19 of 69 Fortinet Training Institute
3.1. SAML

Background

In this lab you will be configuring FortiAuthenticator as SAML IdP and FGT-EDGE as SAML SP.

Tasks

Configure FortiAuthenticator

1. From the Lab Activity: ZTNA tab, access FortiAuthenticator using the HTTPS option:

Username: admin Password: Fortinet1!

2. Click Certificate Management > End Entities > Local Services.

3. Select the check box next to the AcmeCorpDevice28 certificate ID.

4. Click Export Certificate.

Note: Certificate will be imported on FGT-EDGE to ensure SP connection to IdP is made with the correct certificate. If
wrong certificate is used, the SP request to IdP will not work.

5. Click Authentication > SAML IdP > General.

6. Toggle on Enable SAML Identity Provider portal.

7. Configure the following settings:


Server address: fac.acmecorp.net
Set Default IdP certificate to AcmeCorpDevice28 | [email protected]
Under Realms click +Add a realm and select acmecorp.net | LDAP (172.16.100.10)
Enable Filter: and select the pencil icon

Select and move VPN Users to the right side under Chosen User Groups by clicking on the arrow

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 20 of 69 Fortinet Training Institute
Select OK

8. Click Save.

9. Click on Authentication > SAML IdP > Service Providers.

10. Click + Create New.

11. Configure the following settings:


SP Name: SAML_SP
IdP prefix: Click + next to “Please select”
IdP prefix: fgt
Click OK
Enable: Participate in single logout
Click + Assertion Attributes
Click + Add Assertion Attribute
set SAML attribute: username and User attribute: Username
Click Save.

Note: Keep FortiAuthenticator page open, we will get back to it after setting up FGT-EDGE SAML config.

Configure FGT-EDGE

1. On FGT-EDGE, click Users & Authentication > Single Sign-On.

2. Click + Create New.

3. Configure the following settings:


Name: SAML_SP
Address: webserver.acmecorp.net:9443
Toggle on the Certificate and set it to AcmeCorpDevice28

4. Click Next and Configure the following settings:


Set Type to Fortinet Product
Set Address to fac.acmecorp.net
Set Prefix to fgt
Click the drop-down for Certificate and Click +
Click +Upload
Select the certificate you exported from FortiAuthenticator
Click OK.
Select REMOTE_Cert_1
Set Attribute used to identify users to username

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 21 of 69 Fortinet Training Institute
5. Click Submit

FortiAuthenticator SP Configuration

1. On FGT-EDGE click User & Authentication > Single Sign-On and select SAML_SP and click Edit.

2. Copy the below links one by one and go back to the FortiAuthenticator Service Providers previously opened page.

3. Paste the links below:


FGT-EDGE Entity ID link to SP entity ID
FGT-EDGE Assertion consumer service URL link to SP ACS (login) URL
FGT-EDGE Single logout service URL link to SP SLS (logout) URL

4. Set IdP prefix to fgt.

5. On FortiAuthenticator, Click Save.

6. On FGT-EDGE click OK.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 22 of 69 Fortinet Training Institute
4. Full ZTNA
Background

AcmeCorp is currently utilizing ZTNA over VPN technology, and they are now poised to transition to a comprehensive ZTNA
solution to maximize its benefits. While ZTNA over VPN tunnels offers several fundamental principles of a full ZTNA solution,
it does not encompass all functionalities.

Let's delve into the concept of ZTNA for a deeper understanding. ZTNA operates on the foundational principles of "never
trust, always verify," significantly reducing organizational attack surfaces by meticulously verifying user and device
credentials before granting access to applications. Furthermore, it continuously monitors these entities for any alterations in
their security posture.

ZTNA provides the following key features

Verify user and device identity, possibly using multi-factor authentication (MFA) and certificates, to ensure that only the
correct users and devices have access.
Checks the contextual information about the user, such as their location, time of day, and device type, to ensure that it
matches the policy for accessing an application.
Verify the posture of the device to ensure that only appropriately configured devices can access applications.
Provide ongoing checking of users and devices so that if any contextual information changes, access to the application is
removed.
Only grant access to a specific application for a single session. Every access request is verified, regardless of the user or
application.
This approach of frequent and complete verification reduces the attack surface, making it harder for bad actors to gain or
maintain access to an application.

AcmeCorp is currently exploring various ZTNA solutions tailored to their requirements, including:

ZTNA HTTPS Application Gateway for Remote User


ZTNA TCP Forwarding for Remote User
ZTNA for On-Net-Worker

These solutions are poised to enhance security and streamline access management for AcmeCorp's user base.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 23 of 69 Fortinet Training Institute
4.1. ZTNA Authentication

Background

In this exercise you will configre SAML authentication scheme, rule and setup user groups.

Tasks

Configure FGT-EDGE

1. On FGT-EDGE, click Users & Authentication > User Groups.

2. Click +Create New and configure the below settings:

Name: ZTNA_SAML_Users
Under Remote Groups click +Add
Remote Server: SAML_SP
Groups: Any
Click OK

3. Click OK.

4. Click Policy & Objects > Authentication Rules.

5. Click +Create New > Authentication Scheme and configure the below settings:

Name: ZTNA_SAML_Auth_Scheme
Method: SAML
SAML SSO Server: SAML_SP

6. Click OK.

7. Click +Create New > Authentication Rule and configure the below settings:

Name: ZTNA_SAML_Auth_Rule
Source Address: all
Incoming Interface: ISP1(port6)
Protocol: HTTP
Authentication Scheme: ZTNA_SAML_Auth_Scheme
IP-based Authentication: Disable

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 24 of 69 Fortinet Training Institute
8. Click OK.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 25 of 69 Fortinet Training Institute
4.1. ZTNA HTTPS Application Gateway

Background

AcmeCorp is implementing a ZTNA access proxy solution to enable users to securely access resources through an SSL
encrypted access proxy, thereby simplifying remote access without the need for traditional dial-up VPNs. The incorporation
of ZTNA rules and tagging adds an extra layer of identity and posture verification.

In this section, you will focus on configuring the HTTPS access proxy for AcmeCorp to facilitate remote user access to the
internal AcmeCorp web server.

The FortiGate HTTPS access proxy functions as a reverse proxy for the HTTP server. When a client attempts to connect to a
web page hosted by the protected server, the address resolves to the FortiGate’s access proxy VIP. The FortiGate then
intermediates the connection, initiating user authentication procedures. It prompts the user to provide their certificate via
the browser and verifies it against the ZTNA endpoint record, which is synchronized from FortiClient EMS. If an
authentication scheme, such as SAML authentication, is enabled, the client is redirected to a captive portal for sign-on. Upon
successful authentication, traffic is permitted based on the ZTNA rules, and the FortiGate delivers the requested web page to
the client.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 26 of 69 Fortinet Training Institute
4.1.1. ZTNA HTTPS Server/Rule

Background

AcmeCorp is planning to deprecate the use of VPNs and, as such, is setting up a ZTNA gateway connection for its remote
employees to securely connect to the corporate web servers.

Tasks

1. On FGT-EDGE, click Policy & Objects > ZTNA > ZTNA Servers.

2. Click Create New and use the following information:

Name: ZTNA_webserver
interface: ISP1 (port6)
IP address: 100.65.0.101
Port: 9443
Enable SAML and set it to SAML_SP
Default certificate: AcmeCorpDevice28

Click OK

3. Under Service/server mapping, click + Create.

4. Set Service to HTTP.

5. Under Server enter the following information:

IP address: 172.16.100.10

Note: 172.16.100.10 is the Sales web server for AcmeCorp.

Port: 80

6. Click OK.

7. Click OK.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 27 of 69 Fortinet Training Institute
Configure ZTNA Rule

1. Click Policy & Objects > Firewall Policy.

2. Click Cancel for User New Policy List Layout notification.

3. Click +Create New and use the following information:

Name: ZTNA_Server
Type: ZTNA
Incoming Interface: ISP1(port6)
Source: all and click User dropdown menu & select ZTNA_SAML_Users & click Close
Security posture tag to all
Click + and choose both IP TAG AV_Enabled_Tag & IP TAG WIN_2016 & click Close

Note: An endpoint device will need to have both the tags mentioned above to be allowed access through this rule

ZTNA Server: ZTNA_webserver

4. Click OK.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 28 of 69 Fortinet Training Institute
4.1.2. Test ZTNA Connection

Background

ZTNA differs from traditional SSL VPN or IPsec VPN teleworking solutions in that it simplifies remote access while adding
additional security checks to authenticate the identity of the device and the user, and to verify the overall security posture
of the endpoint. Remote users only need to register with the EMS server, then access the web resources directly from its
browser.

Tasks

FortiClient ZTNA Agent with EMS

1. On Carol machine, open FortiClient console on Desktop.

2. Click Carol’s avatar to view the WIN_2016 Zero Trust Tag assigned to Carol.

Note: If you see AV_Enabled_Tag assigned to the FortiClient. Please make sure you Toggle OFF Antivirus
Protection in the ZTNA-EPP Malware Protection profile in EMS

Test Remote Access to the HTTPS Access Proxy

1. On Carol machine, open chrome and click Sales WebServer browser bookmark page.

2. The browser will prompt for the client certificate to use. Choose the EMS signed certificate and click OK.

3. If prompted for authentication, enter the following Carol’s AD credentials, Username: carol, Password: Fortinet1!

4. A block page with Access Denied is presented.

Note: Since carol’s machine is not running any Anti-malware/AntiVirus software, therefore it is not deemed safe and as
such, access to Acmecorp’s sales web server or corporate assets is not allowed yet.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 29 of 69 Fortinet Training Institute
5. Close the web browser.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 30 of 69 Fortinet Training Institute
4.1.3. Enable Malware Protection

Background

The Malware Protection tab contains options for configuring AV, anti-ransomware, anti-exploit, cloud-based malware
detection, removable media access, exclusions list, and other options.

Tasks

Enable Malware Protection

1. On FortiClient EMS, click Endpoint Profiles > Malware Protection.

2. Click ZTNA-EPP profile and click Edit.

3. Toggle on AntiVirus Protection.

4. Click Save.

5. Click Zero Trust Tags > Zero Trust Tag Monitor.

Note: Carol’s machine should be tagged with AV_Enabled Tag. If you don’t see the correct tag information, wait for 1-2
minutes as Carol’s FortiClient configuration is sync’d with the EMS server and click Refresh on top right.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 31 of 69 Fortinet Training Institute
4.1.4. Demonstrate ZTNA Connectivity

Background

When FortiClient ZTNA agent registers to FortiClient EMS, device information, log on user information, and security posture
are all shared over ZTNA telemetry with the EMS server. Clients also make a certificate signing request to obtain a client
certificate from the EMS that is acting as the ZTNA Certificate Authority (CA).

Based on the client information, EMS applies matching Zero Trust tagging rules to tag the clients. These tags, and the client
certificate information, are synchronized with the FortiGate in real-time. This allows the FortiGate to verify the client's
identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA rule.

Tasks

Test ZTNA Web Server Remote Connection

1. On Carol machine Open FortiClient console. You will notice MALWARE PROTECTION added, you can also click on Carol
avatar to view AV_Enabled_Tag.

2. Open Chrome and click Sales Webserver browser bookmark page.

3. Enter the following AD credentials for Carol and Sign in using SAML:

Username: carol Password: Fortinet1!

4. You are successfully allowed ZTNA remote connection to the sales webserver.

Note: Carol’s Windows OS v2016 is running an AV software now and as such, deemed compliant. Therefore, it is allowed
by the ZTNA rule configured in an earlier exercise.

Note: The traffic is encrypted between client and FGT, but http/cleartext between FGT and server, also the pop-up for
credentials is the FGT asking for it, and not the web server asking for credentials.

Review Certificate Details on Client Machine

1. On Carol’s machine task bar, open Search.

2. In the search bar, type user certificate and click Manage user certificates.

3. In the User Certificate store, open folder Personal > Certificates.

4. Choose the FCTEMS issued certificate and double-click the certificate to view its properties.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 32 of 69 Fortinet Training Institute
5. Under General tab, you will find the client certificate ID to whom its issued to.

6. Under Details tab, you will find the Serial number (SN) of the certificate.

Review Endpoint Information on EMS

1. On EMS, click Endpoints > All Endpoints.

2. Click user entry Carol.

3. Under Configuration, view the fields FortiClient ID and ZTNA Serial Number displaying the matching info as the FortiClient
and FortiGate.

Note: The ID and SN in the below screenshot might be different from yours.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 33 of 69 Fortinet Training Institute
4.2. ZTNA TCP Forwarding

Background

AcmeCorp is implementing a ZTNA access proxy TCP forwarding access proxy (TFAP) solution to facilitate secure user access
to resources through an SSL encrypted access proxy, thereby streamlining remote access without reliance on traditional
dial-up VPNs. The integration of ZTNA rules and tagging enhances identity and posture verification.

In this section, our focus lies on configuring TCP forwarding for AcmeCorp to facilitate user access to internal resources using
RDP.

The TCP forwarding access proxy operates as a specialized form of HTTPS reverse proxy. Rather than directing traffic to a
web server, TCP traffic is tunneled between the client and the access proxy over HTTPS and then forwarded to the protected
resource. The FortiClient endpoint configures the ZTNA connection by specifying the proxy gateway and the destination host
it intends to reach. Upon initiating an HTTPS connection to the FortiGate’s access proxy VIP, the client certificate undergoes
verification, granting access based on ZTNA rules. Subsequently, TCP traffic is forwarded from the FortiGate to the protected
resource, establishing an end-to-end connection.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 34 of 69 Fortinet Training Institute
4.2.1. Configure ZTNA RDP Server/Rule

Background

AcmeCorp is planning to setup a ZTNA TCP forwarding gateway connection for its remote employee to be able to securely
RDP to the user machine.

Tasks

Configure ZTNA RDP Server

1. On FGT-EDGE, click Policy & Objects > ZTNA > ZTNA Servers.

2. Click + Create New and use the following information:

Name: RDP_Server
Interface: ISP1 (port6)
IP Address: 100.65.0.101
External port: 3390
Default certificate: AcmeCorpDevice28

3. Under Service/server mapping, click + Create new and use the following information:

Type: IPv4
Service: TCP Forwarding
Virtual Host: Any Host

4. Under Servers next to Address, click drop down arrow then click + , then select Address and use the following
information:

Name: RDP_Host
IP/Netmask: 172.16.10.50/32
Click OK

5. Click OK.

6. Once firewall address is created and selected RDP_Host set the Ports to 3389

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 35 of 69 Fortinet Training Institute
7. Click OK.

8. Click OK.

Configure ZTNA Rule

1. On FGT-Edge, click Policy & Object > Firewall Policy > + Create New and use the following information:

Name: ZTNA_RDP_Server
Type: ZTNA
Incoming Interface: ISP1 (port6)
Source: Address > all
Security posture tag : All
ZTNA Tag: Click and choose IP TAG AV_Enabled_Tag and IP TAG WIN_2016
ZTNA Server: RDP_Server

2. Click OK.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 36 of 69 Fortinet Training Institute
4.2.2. Configure EMS ZTNA Destination

Background

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a
local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS
using a certificate received from EMS that includes the FortiClient UID.

You an configure these destinations in a ZTNA Destinations profile in EMS to deploy to endpoints as part of an endpoint
policy.

Tasks

Configure ZTNA Destination Endpoint Profile

1. On EMS, click Endpoint Profiles > ZTNA Destinations.

2. Click + Add

3. Set Name: ZTNA-EPP

4. Click Advanced

5. Click Eye icon to enable feature to be shown on endpoint FortiClient.

6. Click + Add Destination and use the following information:

Destination Name: RDP


Destination Host: 172.16.10.50:3389
Proxy Gateway: 100.65.0.101:3390
Click Save

7. Click Save.

Edit Endpoint Policy

1. Click Endpoint Policy & Components > Manage Policies.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 37 of 69 Fortinet Training Institute
2. Click and Edit ZTNA Policy.

3. In the Profile section, ZTNA > choose ZTNA-EPP profile.

4. Click Save.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 38 of 69 Fortinet Training Institute
4.2.3. Demonstrate ZTNA Connectivity

Background

When FortiClient ZTNA agent registers to FortiClient EMS, device information, log on user information, and security posture
are all shared over ZTNA telemetry with the EMS server. Clients also make a certificate signing request to obtain a client
certificate from the EMS that is acting as the ZTNA Certificate Authority (CA).

Based on the client information, EMS applies matching Zero Trust tagging rules to tag the clients. These tags, and the client
certificate information, are synchronized with the FortiGate in real-time. This allows the FortiGate to verify the client's
identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA rule.

Tasks

1. On Carol machine , open FortiClient console.

2. Click ZTNA DESTINATION tab and view the ZTNA RDP configuration pushed by EMS to FortiClient.

Note: You may need to wait 1-2 minute(s) for ZTNA RDP configuration to be pushed by EMS to FortiClient.

3. Click start windows icon on the bottom left corner and open remote desktop connection.

4. Enter Computer IP 172.16.10.50 and connect.

5. On the remote desktop login using username acmecorp\carol and password Fortinet1! Then connect.

6. Click OK.

7. Click Yes to bypass the certificate warning.

Note: RDP session to the corporate server via secure ZTNA auth connection opens up

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 39 of 69 Fortinet Training Institute
8. Close the RDP session.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 40 of 69 Fortinet Training Institute
4.3. On-Net-Worker

Background

AcmeCorp is planning to deploy a ZTNA IP/MAC filtering mode, utilizing ZTNA tags to manage access between on-net
employee devices and an internal web server. This mode operates independently of the access proxy, relying solely on ZTNA
tags for access control.

In this section, the focus will be on configuring ZTNA for on-net devices.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 41 of 69 Fortinet Training Institute
4.3.1. Test User Access without ZTNA

Background

In this exercise you will test what user Alice has access to before configuring and applying ZTNA tags.

Tasks

1. From the Lab Activity: ZTNA tab, access Alice machine using the RDP option.

2. Open Chrome and browse to ACMECorp Sales Website and ACMECorp Finance Website, Alice should have access to
both.

3. Close the browser.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 42 of 69 Fortinet Training Institute
4.3.2. Configure IP/MAC Based Access Control Policy

Background

Firewall policies can be configured that use ZTNA tags to control access between on-net devices and an internal web server.
This mode does not require the use of the access proxy and only uses ZTNA tags for access control.

Tasks

Configure Zero Trust Tagging Rule

1. On FortiClient EMS, click Zero Trust Tags > Zero Trust Tagging Rules.

2. Click +Add and use the following information.

Name: Sales
Tag Endpoint As : Sales_User_Tag (Press ENTER to save the tag)

3. Click +Add Rule and use the following information:

OS: Windows
Rule Type: User in AD Group
AD Group: Users/Sales

4. Click Save

5. Click Save

Configure IP/MAC Based Access Control Firewall Policy

1. From the Lab Activity tab, access FGT-ISFW using the HTTPS option:

Username: admin Password: Fortinet1!

2. Click Policy & Objects > Firewall Policy and click Cancel for the new layout notification.

3. Expand User Network-1 > EDGE_ISFW Network (port4) policy section.

4. Click & Edit To-Finance-Website firewall policy.

5. Click the Security posture tag field and choose IP TAG Finance_Users_Tag

6. Click Close

7. Click OK.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 43 of 69 Fortinet Training Institute
8. Click & Edit To-Sales-Website firewall policy.

9. Click the Security posture tag field and choose IP TAG Sales_Users_Tag.

10. Click Close

11. Click OK.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 44 of 69 Fortinet Training Institute
4.3.3. Demonstrate Dynamic Access Control

Background

Alice initially had access to both Finance and Sales websites. Let’s see what access Alice has in the network after applying
ZTNA tags.

Tasks

Verify Dynamic Access with Alice part of Sales Group

1. On Alice machine, open FortiClient console.

2. Click Zero Trust Telemetry.

3. Enter Server address 172.16.100.125 and click Connect then click Accept for certificate warning.

4. Click Alice avatar and see the Zero Trust Tag assigned to Alice machine.

Note: Wait for 1-2 minutes in case the ZTNA Tag doesn’t appear right away. The screenshot only focus on Sales_User_Tag
there could be other tags as well that are not shown in the screenshot depending on the order you did the use cases. Also
note that this user is marked as On-fabric

Note: We're only showing Sales_User_Tag in the screenshot above there can be other tags as well from previous
exercises.

5. Close FortiClient console.

6. Open Chrom and browse to the ACMECorp Sales Website bookmarked page.

7. On chrome browse to the ACMECorp Finance Website bookmarked page.

8. Close the browser.

Note: the user Alice was able to browse to sales website since he’s part of the sales group and tagged with
Sales_User_Tag, Alice was not able to access Finance website since he doesn’t have Finance_User_Tag and he’s not part of
Finance group.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 45 of 69 Fortinet Training Institute
5. Traditional VPN and ZTNA
Background

In this section, you will cover two main topics: Traditional VPN and ZTNA over VPN.

In the Traditional VPN section, you will dive into AcmeCorp's utilization of Traditional VPN technology to facilitate secure
access for remote users.

In the ZTNA over VPN section, you will illustrate how AcmeCorp is taking the next step in transitioning to ZTNA technology
to enhance security, reduce attack surface, and improve user experience by granting access based on the principle of least
privilege.This transition is crucial for AcmeCorp to strengthen its security posture, reduce the attack surface, and ensure
compliance with data protection regulations.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 46 of 69 Fortinet Training Institute
5.1. FortiClient IPsec VPN

Background

Securing remote access to network resources is a critical part of security operations. AcmeCorp has long relied on Fortinet's
Virtual Private Network (VPN) technology to provide a secure way for employees to remotely access the company's network.
For example, an employee traveling or working at home can use a VPN to securely access the office network through the
Internet.

Fortinet offers VPN capabilities in the FortiGate Unified Threat Management (UTM) appliance and in the FortiClient Endpoint
Security suite of applications.

In this section, you will configure VPN functionality on the FortiGate-EDGE unit within the AcmeCorp enterprise. Additionally,
you will deploy FortiClient software on remote user computers to establish secure connections to private resources.
Furthermore, we will implement and enforce UTM security inspections on these remote user connections, enhancing the
overall security posture of AcmeCorp's network infrastructure.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 47 of 69 Fortinet Training Institute
5.1.1. Configure RADIUS Remote User Group

Background

You will set up FortiAuthenticator to function as a RADIUS server for FortiGate to authenticate IPsec VPN users.

Tasks

Configure RADIUS Server on FortiGate

1. From the Lab Activity: ZTNA tab, access FGT-Edge using the HTTPS option

Username: admin Password: Fortinet1!

2. On the FGT-Edge, click User & Authentication > RADIUS Servers > Create New and use the following information:

Name: FAC_Server

Primary Server IP/Name: 172.16.100.129

Secret: Fortinet1!

3. Click Test Connectivity to make sure it returns Connection Successful.

4. Click OK

Configure Remote User Group

1. On FGT-Edge, click User & Authentication > User Groups > Create New and use the following information:

Name: IPsec_VPN_Users

Type: Firewall

2. Under Remote Groups, click Add

Remote Server: FAC_Server

Groups: Any (Leave it set to default)

3. Click OK

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 48 of 69 Fortinet Training Institute
4. Click OK

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 49 of 69 Fortinet Training Institute
5.1.2. Configure IPsec VPN

Background

In this objective, you will configure IPsec dial up VPN on FGT-Edge (HQ) with FortiClient as a dial up client.

Tasks

Configure IPsec Dialup VPN

1. On FGT-EDGE, click VPN > IPsec Wizard.

2. Use the following information:

Name: Remote Workers

Template Type: Remote Access

Remote Device Type: Client-based/FortiClient

3. Click Next.

4. Use the following Authentication settings:

Incoming Interface: ISP1(port6)

Authentication Method: Pre-shared key

Pre-shared key: Fortinet1!

User group: IPsec_VPN_Users

Note: IPsec_VPN_Users is the RADIUS user group configured earlier.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 50 of 69 Fortinet Training Institute
5. Click Next.

6. Use the following Policy & Routing settings:

Local Interface: LAN

Local Address: DC_Network

Client Address Range: 10.10.10.1-10.10.10.10

Leave Subnet Mask, DNS Server, Enable IPv4 Split Tunnel and Allow Endpoint Registration settings set to
default.

Note: By default, IPv4 Split Tunnel is enabled. In this configuration, remote users are able to securely access the HQ
internal network through the FGT-EDGE-HQ firewall, yet browse the Internet without going through the head office. Only
the traffic destined to DC-Network will travel through the VPN

7. Click Next

8. Use the following Client Options settings:

Save Password: Turn on

Auto Connect: Turn on

Note: When FortiClient is launched, the VPN connection will automatically connect.

Always Up (Keep Alive): Turn on

Note: When selected, the VPN connection is always up, even when no data is being processed. If the connection fails,
keep alive packets sent to the FortiGate will sense when the VPN connection is available and re-connect VPN.

9. Click Next and review the settings. Then click Create.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 51 of 69 Fortinet Training Institute
Note: After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate's
configuration by the wizard. If any of these are wrong, you will have to delete the objects manually, starting with their
dependencies.

Configure VPN on FortiClientEMS

1. On EMS, click Endpoint Profiles > Remote Access.

2. Edit ZTNA-EPP.

3. Under VPN Tunnels, Click + Add Tunnel

4. Select Manual as VPN type

5. Click Next

6. Enter Name: HQ-VPN

7. Select Type: IPsec VPN

8. Enter Remote gateway as 100.65.0.101

9. Select Authentication Method: Pre Shared Key

10. Enter Pre-Shared Key as Fortinet1!

Note: Make sure you have setup the same Pre-Shared Key when configuring the IPSEC VPN on FGT-EDGE

11. Click Save

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 52 of 69 Fortinet Training Institute
12. Click Save

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 53 of 69 Fortinet Training Institute
5.1.3. Establish Remote Connection

Background

Using FortiClient, remote users can quickly and securely connect to the corporate network.

Tasks

Connect to HQ-VPN

1. On Carol machine, open FortiClient and click Remote Access.

2. Enter Username: Carol Password: Fortinet1!

Note: If the username/password prompt hasn’t shown up, navigate to any other section in FortiClient and then click
Remote Access

3. Click Connect

4. The VPN connection should be up, and the client should be receiving an IP in the range specified (10.10.10.1-10.10.10.10).
FortiClient console will be minimized and can be viewed from the system tray.

Note: VPN configuration has been pushed by the EMS via the endpoint profile configured earlier

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 54 of 69 Fortinet Training Institute
5.1.4. Secure Access to Corporate Resources

Background

Once connected, access to remote folders, files, and other network resources is as seamless as being in the office.

Tasks

Access Shared Corporate Resources Securely Over VPN

1. Now that the VPN is up and running, on Carol's machine desktop, open Run App, type the path
\\172.16.100.10\Marketing.

Note: 172.16.100.10 is the IP address of a Windows Server sitting in the HQ office. Since you connect to HQ through a
VPN, you will have access to HQ resources, for example, SMB file shares and shared folders, in the same manner as you
would have while sitting in your cubicle locally in HQ itself.

2. Click OK

3. You can download/upload (copy/paste) the Expense_Report_Feb_2019 on your desktop and work on it from home or any
remote location.

Access Corporate Web Server

1. Open Chrome browser.

2. Click the IPsec Sales Web Server bookmark.

Note: IPSEC Sales Web Server is the sales website located at HQ DC-Network

3. Close the browser

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 55 of 69 Fortinet Training Institute
5.2. ZTNA Over VPN

Background

AcmeCorp can benefit from implementing Zero Trust Network Access (ZTNA) over Virtual Private Network (VPN) to enhance
its network security. By combining ZTNA with VPN technology, AcmeCorp can strengthen its security posture by enforcing
strict access control measures based on user identity and device trustworthiness. This approach ensures that only
authorized users and devices can access network resources, reducing the risk of unauthorized access and potential security
breaches. ZTNA over VPN provides AcmeCorp with a scalable, flexible, and centralized security solution that improves
visibility, control, and overall network security resilience.

While ZTNA over VPN tunnels might not fully embody the complete zero-trust vision, they offer a substantial upgrade in
security by implementing granular access controls for applications. Leveraging existing VPN infrastructure and tools makes
this transition easier and more appealing to organizations already familiar with VPNs. It provides a valuable stepping stone,
allowing companies to gradually adopt zero-trust principles and migrate to a full-fledged ZTNA solution in the future.

In this section, you will see how to use ZTNA technology over VPN.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 56 of 69 Fortinet Training Institute
5.2.1. IPsec VPN with ZTNA Tags

Background

In this objective, you will apply ZTNA tag to IPsec VPN policy

Tasks

Edit IPsec VPN Firewall Policy with ZTNA Tag

1. On FGT-EDGE, click Policy & Objects > Firewall Policy.

2. Expand Remote Workers to LAN policy

3. Edit policy vpn_Remote Workers_remote_0

4. For Security posture tag: click + and select (IP TAG) AV_Enabled_Tag

5. Click Close

6. Click OK

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 57 of 69 Fortinet Training Institute
5.2.2. Accessing Resources

Background

In this objective, you will access resources with EMS malware protection disabled and enabled.

Tasks

Disable EMS Malware Protection

1. On EMS, click Endpoint Profiles > Malware Protection.

2. Edit ZTNA-EPP.

3. Toggle Off Antivirus Protection.

Test Policy without Malware Protection Profile

1. From the Lab Activity: ZTNA tab, access Carol's machine using the RDP option:

2. Click on Carol’s avatar to view the Tag, and wait for 1-2 minutes until FortiClient syncs with EMS and AV_Enabled_Tag is
removed.

3. Open chrome web browser and click IPsec Sales Web Server browser bookmark page.

4. You will see the webserver is not reachable. FortiClient does not have the AV_Enabled_Tag as Antivirus protection is not
enabled.

5. Close Chrome.

Enable EMS Malware Protection

1. On EMS, click Endpoint Profiles > Malware Protection.

2. Edit ZTNA-EPP.

3. Toggle ON Antivirus Protection.


4. Click Save

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 58 of 69 Fortinet Training Institute
Test Policy with Malware Protection Profile

1. On Carol's machine, open the FortiClient console.

2. Click on Carol’s avatar to view the Tag, and wait for 1-2 minutes until FortiClient syncs with EMS and receives the
AV_Enabled_Tag.

3. Open Chrome web browser and browse to IPsec Sales Web Server bookmark. Carol now should have access to the Sales
website.

Disable IPsec VPN

1. On Carol's machine, open the FortiClient console.

2. Click Remote Access

3. Click Disconnect to disable HQ-VPN

Note: IPsec VPN should be turned off after finishing this objective

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 59 of 69 Fortinet Training Institute
6. ZTNA Access to critical asset with FortiPAM
Background

With the recent surge in risks associated with credential leaks, unauthorized access, and challenges in tracking user activity,
AcmeCorp is proactively addressing these concerns. They have opted to deploy FortiPAM, a solution designed to bolster
security within an enterprise network by providing role-based access, robust auditing capabilities, and enhanced security
options.

FortiPAM encompasses a range of functionalities aimed at mitigating security risks related to privileged user activities in an
enterprise network. These functionalities include credential vaulting, Role-based privileged account access control, approval
system and privileged activity monitoring and recording. By leveraging FortiPAM, AcmeCorp can effectively reduce the
likelihood of security breaches stemming from privileged user actions.

Furthermore, FortiPAM offers ZTNA tag-based and protocol-based access control, including for RDP, VNC, and web-based
access. This feature enables AcmeCorp to safeguard critical assets with the utmost level of security, irrespective of the
user's location or method of access.

In this section, we will proceed to configure FortiPAM to cater to Corporate administrators necessitating elevated privileges
for network management tasks.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 60 of 69 Fortinet Training Institute
6.1. FortiPAM Proxy Rule and User Setup

Background

In this lab you will create ZTNA admin tags and you will configure FortiPAM proxy rule.

Note: FortiPAM integration with FortiClient EMS is pre-setup in this lab and Privilege Access Management is pre-enabled in
the FortiClient EMS default system settings.

Tasks

Configure Zero Trust Tagging Rule

1. On FortiClient EMS, click Zero Trust Tags > Zero Trust Tagging Rules.

2. Click +Add and use the following information.


Name: Admin
Tag: Admin_User_Tag (Press ENTER to save the tag).

3. Click +Add Rule and use the following information:


OS: Windows.
Rule Type: User in AD Group.
AD Group: Users/Admins.

4. Click Save.

5. Click Save.

Setup FortiPAM Proxy Rule

Note: This part of the configuration will be done by connecting to FortiPAM from the Lab Activity page using the
FortiPAM management IP address. All FortiPAM configuration after this section will be performed by connecting to
FortiPAM proxy rule address using Bob's machine browser.

1. From the Lab Activity main menu, click FortiPAM then click HTTPS to access it using the following credentials:

Username: admin Password: Fortinet1!

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 61 of 69 Fortinet Training Institute
2. Click OK to disclaimer, click Console Icon on the top right and enter the following commands:

config firewall vip


edit fortipam_vip
set extip 172.16.99.153
set extport 8443
end

3. View access proxy using following commands:

show firewall access-proxy


config firewall access-proxy
edit "fortipam_access_proxy"
set vip "fortipam_vip" <--- fortipam_vip is the default vip applied to the default policy, this is the vip
configured in the previous step
config api-gateway
edit 1
set url-map "/pam"
set service pam-service

4. Close the console, click System > ZTNA.

5. Double click FortiPAM_Default under Proxy Rule.

6. Click >_ Edit in CLI to view the rule.

config firewall policy


edit 1
show
config firewall policy
edit 1
set type access-proxy
set uuid 0ec7327e-79a6-51ee-f015-a7135de869d9
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy" < --- this is the access proxy viewed earlier in step 3 that
contain the vip fortipam_vip
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end

7. Close the console.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 62 of 69 Fortinet Training Institute
6.2. FortiPAM Folder and Secret Setup

Background

In this exercise, you will configure FortiPAM user group, user definition, connect FortiClient to EMS to receive the ZTNA tag
and enable ZTNA control on FortiPAM Proxy rule. Also, you will be configuring FortiPAM folder and secrets, the secrets
contain information on login, credentials, and the target server IP address. The end user can use the secret to access
servers.

Note: You will be accessing the FortiPAM using the proxy rule from Bob machine, you will login to FortiPAM using admin
credentials, it’s recommended to do all FortiPAM configuration by connecting to FortiPAM using the proxy rule address.
In this exercise you will stricly access FortiPAM from Bob machine using the browser.

Tasks

Setup User Group

1. From Lab Activity main menu, click Bob then click RDP to access.

2. Open chrome and browse to FortiPAM bookmarked page and login using

Username: admin Password: Fortinet1!.

3. On FortiPAM click User Management > User Groups.

4. Click +Create and configure the following:

Set Name to admin.


Set Type to Remote.
Under Remote Groups click +Create.
Set Remote Server to LDAP, in the Search enter admins and press enter.
Click Admins then click OK.

5. Click OK.

6. Click User Management > User Definition.

7. Click +Create and configure the following:


Select Standard User and click Next.
Select Remote User, select admin and click Next.
Set Username to Bob, click Next, Next, Next, Submit

Connect FortiClient to EMS

1. On Bob's machine, open FortiClient, click ZERO TRUST TELEMETRY, enter EMS IP 172.16.100.125 and click Connect.

2. Accept certificate

3. On FortiClient click Bob's Avatar to view the Zero Trust Tags, might take 1-2 minutes for the tag to show up.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 63 of 69 Fortinet Training Institute
Enable ZTNA on Proxy Rule

1. On FortiPAM, click System > ZTNA then click Proxy Rules.

2. Double-click FortiPAM_Default.

3. Toggle on ZTNA Control and select Admin_User_Tag.

Note: Make sure you select Admin_User_Tag under FCTEMS0000101980-IP section

4. Click Close.

5. Click OK.

6. Click OK to ZTNA certificate.

FortiPAM Folder Setup

1. On FortiPAM click Secrets > Public Folder.

2. Click +Create > Folder.

3. Set Name to Admin-Folder.

4. Select Folder Permission.

5. Click +Create in front of Group Permission.

6. Set Groups to admin.

7. Set Folder Permission to Edit.

8. Set Secret Permission to Edit.

9. Click OK then click Submit.

FortiPAM Secret Setup and ZTNA

1. On FortiPAM click Secrets > Secret List.

2. Click + Create and select Admin-Folder then click Create Secret.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 64 of 69 Fortinet Training Institute
3. Set Name to FGT-SSH.

4. Set Template to FortiProduct (SSH Password).

5. Set Host to 172.16.99.254.

6. Set Username to admin.

7. Set Password to Fortinet1!.

8. Set Confirm Password to Fortinet1!.

9. Set Session Recording to Enable.

10. Click Secret Permission.

11. Toggle on ZTNA Control and set Device Tags to FCTEMS0000101980_Admin_User_Tag then click Close.

Note: Make sure you select the tag FCTEMS0000101980_Admin_User_Tag under IP section

12. Click Submit.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 65 of 69 Fortinet Training Institute
6.3. Privileged User Access with ZTNA

Background

In this lab you will test admin user Bob access to FortiGate-DMZ using FortiPAM and view FortiPAM secret log and video.

Note: You will be using Bob's machine to access FortiPAM but this time you will use Bob's user credentials and test the
FGT-SSH secret setup in previous case for admin user Bob.

Tasks

Test User Access

1. On Bob's machine where you have FortiPAM open in Chrome click the dropdown menu on top right and click Logout.

2. Login to FortiPAM using the following credentials:

Username: Bob Password: Fortinet1!

3. Click Secret > Secret List.

4. Click FGT-SSH then click Lunch Secret.

5. Select PuTTY.

6. Click Accept after the PuTTY session opens.

7. Close the session.

View Secret log and Video

1. On Bob's machine log out from FortiPAM and log in again using admin/Fortinet1! credentials in order to view the logs
as FortiPAM admin.

2. Click Log & Report > Secret.

3. Select Secret Video.

4. Double click the latest recording to view and play.

5. Click Log & Report > Secret.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 66 of 69 Fortinet Training Institute
6. Select Secret to view the logs.

7. You can also view ZTNA tags under Log & Report > ZTNA.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 67 of 69 Fortinet Training Institute
7. Conclusion

This concludes the Fast Track workshop lab activity. We hope you found the information provided useful and the user
experience compelling.

In this workshop you have learned how to:

Configure FortiClient Endpoint Management Server (EMS) to extend comprehensive protection to remote users
Scan Vulnerabilities and further patch them to strengthen the organization's security measures using FortiClient Endpoint
Protection Platform (EPP)
Set up Dial-Up VPN connections and demonstrate secure access to internal resources.
Implement SAML for enhanced security during accessing resources
Deploy Zero Trust Network Access (ZTNA) by configuring tags, ZTNA server, rules, and full-mode ZTNA policy for context-
based posture checks, ensuring secure application access.
Configure FortiPAM proxy rules and ZTNA to augment security measures.
Showcase user access to FortiGate (FGT) through FortiPAM
Set up folder and secret access for administrators and IT contract users to manage permissions effectively.

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 68 of 69 Fortinet Training Institute
7.1. Continued Education

Now that you've completed the The Evolution of Access to Applications with Fortinet ZTNA workshop, here are a few
additional resources and next steps.

For continued learning about Fortinet's ZTNA solution, please consider looking at the following Fortinet NSE training course:

FCSS - Zero Trust Access 7.2 as part of the FCSS Network Security certification

Additional resources and tools can be found at the following locations:

Docs - ZTNA
Docs - 4D Resources ZTNA

The Evolution of Access to Applications with Fortinet


ZTNA Lab Guide
Page 69 of 69 Fortinet Training Institute

You might also like