Skip to main content
ekrishnan
Staff
ekrishnan
Staff
April 28, 2026

Technical Tip: FortiPAM ZTNA access error 'No device tag found'

  • April 28, 2026
  • 0 replies
  • 29 views

Description

This article describes the error 'No device tag found' seen when accessing FortiPAM using ZTNA access.

Scope

FortiPAM.

Solution

FortiPAM is configured with ZTNA access, and the error 'No device tag info found.' after accepting the certificate prompt shown in the browser.

Configuration on FortiPAM:

config firewall policy
edit 1
set type access-proxy
set name "port1_auto_create_name_2345r"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "alway
set access-proxy "fortipam_access_proxy"
set ztna-ems-tag "FCTEMSxxxxxx_Windows 10 or 11" "FCTEMSxxxxxx Software is installed and running" --->The tags are already applied
set groups "Local users"
end


Note: This article does not showcase the overall configuration of the FortiPAM ZTNA access

Ensure all the configurations are in place.

Reference: ZTNA-based FortiPAM access control

Below is an example of the certificate prompt shown on user's browser, which needs to be accepted:


b2a5fd3b.png

After accepting the certificate prompt the browser shows the error below:

3beb0f3e.png

On FortiPAM debug:


diagnose wad debug enable category auth
diagnose wad debug enable category detail
diagnose wad debug enable category http2
diagnose wad debug enable level verbose
diagnose debug enable


Output:


[V]2026-01-22 17:55:33.629052 [p:1655][s:1544649117] wad_http_mstrm_read :1565 hs=0x7f68dbb61b80 mstrm=0x7f68dbb61ba8 is_clt=1 len=1756
[I]2026-01-22 17:55:33.629198 [p:1655][s:1544649117][r:2388719] wad_http_req_proc_policy :11851 ses_ctx:ct|Pvx|M|H|C|A1 fwd_srv=<nil>
[I]2026-01-22 17:55:33.629212 [p:1655][s:1544649117][r:2388719] __wad_http_build_replmsg_resp :823 Generating replacement message. No device tag info found. repmsg_id 77
[V]2026-01-22 17:55:33.629292 [p:1655][s:1544649117][r:2388719] wad_http_msg_start_setup_proc :2171 msg(0x7f68dbd8afb0) proc-setup started from: req_resp_ready.
[V]2026-01-22 17:55:33.629296 [p:1655][s:1544649117][r:2388719] wad_http_def_proc_msg_plan :2133 msg(0x7f68dbd8afb0) setting up processor(req_resp_ready)
[V]2026-01-22 17:55:33.629299 [p:1655][s:1544649117][r:2388719] wad_http_strm_read_body :913 http stream 0x7f68dbb61ba8 body_type=2 body_len=4755


One of the reasons for this error is that FortiPAM is unable to retrieve tags assigned to endpoints by FortiClient EMS.

The solution is to enable the pull-tags, as shown below in FortiPAM.

To enable the below:


config endpoint-control fctems
edit FCTEMS
set pull-tags enable
set pull-malware-hash enable
end

    Terms & ConditionsAccessibility statement