Hello, we have been using ZTNA for some time and there are still some things that seem not practical to me, so I decided to ask here, as perhaps there is something I am doing wrong and it can be done some different way :-)
TL/DR version: ZTNA does not allow me to give user A access to one server just on port 443, and to user B on ports 443 and 22, unless I make specific endpoint policy for each user or service combo, is that correct?
Full version:
We have multiple users accessing multiple different services, ie:
-user1 - service1
-user2 - service1, service2
-user3 - service2, service3
etc.
Each service is usually one FQDN and one or more ports.
In order to split the service access between users, I have created AD groups linked to security posture tags. So:
-user1 is in group service1, which gives him service1 security tag
-user2 is in groups service1 and service2, this gives him service1 and service2 security tags
etc.
Now, to assign access via specific security tags, I need ZTNA firewall rule for each security tag, and this rule needs to have exactly one ZTNA server as destination.
This means I need one ZTNA server for each service. Each ZTNA server needs unique external IP/external port combination. Here I understand I could pool more services into one ZTNA server, which is absolutely possible, but then I lose the ability to split user access to those services via firewall rules, as it becomes one destination.
Problem 1
Necessity of unique combination of external IP/port for each service gets problematic as Ipv4 adresses are kinda expensive, so usually it will be 1 IP and multiple ports, but this can get problematic when user tries to use ZTNA from some kind of restricted network, which allows only ports 80,443 etc.
I could use IPv6 (looks like it is possible in FOS 7.6.6) with many IPs and each the same port, but... as much as I like IPv6 it is unfortunately often not reachable from hotel networks, many corporate networks, some mobile provider networks, many small isp home networks... the state is not great.
Some people on internet say you can assign the same ip/port combo to multiple ztna servers and it will somehow sort itself out - I have tried, it does not work.
Now to assign the ZTNA destination to users!
FCEMS ZTNA application catalog gets auto populated from FG, so I just need to create "ZTNA Destinations" set, but... each set can be assigned only using endpoint policy.
So I would create multiple ZTNA destination sets, one for each application and assign the destination set to each user based on his group membership or security tag. But I could not find a way to do it like this - as the ztna destinations can only be assigned by policy and there can be only one policy per computer at one time, I get into "all or nothing" situation.
Problem 2
Assigning specific ZTNA destinations to specific user groups would require a matrix of policies for each possible service combination. Which is a lot of combinations with even 5 services. (or do it manually for each user by name which is even worse to manage)
So I am in situation, when i do on fabric/off fabric detection and assign ALL ZTNA destinations to off fabric and assign NO ZTNA destinations to on fabric.
Which is a way in itself I guess.
But I would like to, for instance:
Have all users in given network have access to service1 on port 443
And only user1 and user2 to have access to the same service on ports 443 and 22.
(and now the similar with service2, service3 etc)
I can not allow users 1 and 2 access on port 22, because ztna takes away their ability to connect on the "open" 443 port. Such setting would require to have all services and ports combinations specified ad endpoint policy.
Possible solution - only enable ztna when needing to access the "protected" ports, disable otherwise. Which is kinda annoying to users.
Am I correct on those points? Or is there something I am missing?
Thank you :-)
Martin