Staff

Troubleshooting Tip: VPN policy with ZTNA tag is not working

Forum|Forum|7 months ago
October 9, 2025
0 replies
658 views

Description

This article describes how to fix the VPN policy, as the ZTNA tag is not working.

Scope

FortiGate, FortiClient EMS.

Solution

The user cannot access any local resources or the internet after connecting to the SSL VPN or dial-up IPsec VPN. FortiClient cannot connect to the EMS either.

SSL VPN or dial-up IPsec VPN policies are using the ZTNA tag.

vpn policies with ZTNA tag.png

Solution:

Create an SSL VPN or dial-up IPsec VPN policy going to VPN DNS servers (1.1.1.1 and 8.8.8.8) without a ZTNA tag.
Create an SSL VPN or dial-up IPsec VPN policy going to FortiClient EMS or FortiClient EMS cloud FQDN (forticlient-emsproxy.forticloud.com) without a ZTNA tag.

Move these firewall policies above the SSL VPN or dial-up IPsec VPN policy with ZTNA tags.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded