great, just pointing to you, 12:02, you should say open a putty session and enter 192.168.1.60 port 822, not 192.168.20.111 port 22, as per my understanding. Many thanks
@TheMeteorra89 no problem, happy it helped. Yes, you can use TCP Forwarding for RDP. If you're interested in full ZTNA course check out tkcybersec.thinkific.com/courses/ZTNA
Hi. Thanks for sharing. I did the same way but getting internal connection error when doing rdp. Forti tech suggested to use proxy policy instead of normal firewall policy with ztna enabled.
Hi. If i following this logic i can have server mappings only if the port is not used in FG. Can i have one proxy on port 10443 for example which have server mapping on whole net 10.0.0.0/8 for example on tcp forwarding on all ports? How can i add whole net in ztna destinations? Thanks!
Hi, if port number 10443 is not being used by any other service you can use it, and as far as i know you can map one IP to multiple HTTP/HTTPS server you can check out this article community.fortinet.com/t5/FortiGate/Technical-Tip-Accessing-multiple-web-servers-hosted-via-single/ta-p/259586 Also wanted to share my recent website and video courses currently on great promotion tkcybersec.net/
I haven't tried this scenario but came across this document docs.fortinet.com/document/fortigate/7.4.1/administration-guide/553746/ztna-access-proxy-with-kdc-to-access-shared-drives
Hi apology for late reply -> you could do form-based authentication (basic does not support two-factor authentication) -> you might have to enable two-factor authentication in the proxy authentication rule (via CLI) For example: docs.fortinet.com/document/fortigate/7.0.0/new-features/591056/ztna-session-based-form-authentication-7-0-4 docs.fortinet.com/document/fortigate/7.0.0/new-features/461532/ztna-proxy-access-with-saml-authentication-example Also wanted to share my recent website and video courses currently on great promotion tkcybersec.net/
You will need to have a remote user be able to reach the EMS on port, i believe 8013. As far as i know, remote users to access internal resources they need to hit a publicly accessible IP address not just for 1 time
great, just pointing to you, 12:02, you should say open a putty session and enter 192.168.1.60 port 822, not 192.168.20.111 port 22, as per my understanding. Many thanks
@abdallahrukab you're right, my bad. Thanks for the feedback.
If you're interested in ZTNA course check out tkcybersec.net
Great work!
@@colinarmstrong5970 Thanks
@colinarmstrong5970 Thanks if you're interested in ZTNA course check out
tkcybersec.net
Thanks buddy
Thank you!! Very nice tutorial.
I need a rdp-connection to a windows-server. Is this also possible?
@TheMeteorra89 no problem, happy it helped. Yes, you can use TCP Forwarding for RDP.
If you're interested in full ZTNA course check out
tkcybersec.thinkific.com/courses/ZTNA
Hi. Thanks for sharing. I did the same way but getting internal connection error when doing rdp. Forti tech suggested to use proxy policy instead of normal firewall policy with ztna enabled.
Hi. If i following this logic i can have server mappings only if the port is not used in FG. Can i have one proxy on port 10443 for example which have server mapping on whole net 10.0.0.0/8 for example on tcp forwarding on all ports? How can i add whole net in ztna destinations? Thanks!
Hi, if port number 10443 is not being used by any other service you can use it, and as far as i know you can map one IP to multiple HTTP/HTTPS server you can check out this article
community.fortinet.com/t5/FortiGate/Technical-Tip-Accessing-multiple-web-servers-hosted-via-single/ta-p/259586
Also wanted to share my recent website and video courses currently on great promotion
tkcybersec.net/
Is it possible to do SMB through the ZTNA? So far I've been unsuccessful in getting it to work.
I haven't tried this scenario but came across this document
docs.fortinet.com/document/fortigate/7.4.1/administration-guide/553746/ztna-access-proxy-with-kdc-to-access-shared-drives
can MFA be applied on above use cases like RDP/SSH?
Hi apology for late reply
-> you could do form-based authentication (basic does not support two-factor authentication)
-> you might have to enable two-factor authentication in the proxy authentication rule (via CLI)
For example:
docs.fortinet.com/document/fortigate/7.0.0/new-features/591056/ztna-session-based-form-authentication-7-0-4
docs.fortinet.com/document/fortigate/7.0.0/new-features/461532/ztna-proxy-access-with-saml-authentication-example
Also wanted to share my recent website and video courses currently on great promotion
tkcybersec.net/
Do the remote user have to give external ip always in order to access internal resources or its just for 1 time for installing certificate?
You will need to have a remote user be able to reach the EMS on port, i believe 8013. As far as i know, remote users to access internal resources they need to hit a publicly accessible IP address not just for 1 time
@@cybersec3306correct 💪🏻
Great tutorial btw, just pointing out, you should never use ports below 1024 (822 for example is reserved for Mac OS X RPC-based services).
Thanks for pointing this out
Hi I need to integrate ZTNA using 2FA with FortiToken 400
do you have any idea?
Found this article that might help
community.fortinet.com/t5/Support-Forum/ZTNA-with-2FA/td-p/215662
@@cybersec3306 tks man