Technical Tip: Ensure 'client-cert' is enabled, when configuring tags in the proxy policy
| Description | This article describes that it is necessary to enable 'client-cert' when configuring tags in the proxy policy. |
| Scope | FortiGate, ZTNA. |
| Solution | When using tags in the proxy policy, make sure to enable the 'client-certificate'. If the client-cert is disabled, ZTNA users will not match the proxy policy with tags, resulting in denied access to ZTNA servers.
Additionally, disabling client-cert prevents Access-Proxy from obtaining the endpoint identification (UUID). Without the UUID, no device-info query will be sent, and without device-info (including tags), the proxy policy configured with EMS tags will not be matched.
config firewall access-proxy |