Troubleshooting Tip: FortiPAM HA status goes out of sync because of the Zero Trust Network Access (ZTNA) tag push from FortiClient EMS to FortiPAM
Description
This article provides details about a known issue where FortiPAM HA status flaps during Zero Trust Network Access (ZTNA) tag propagation from FortiClient EMS to FortiPAM.
Scope
FortiPAM.
Solution
To receive Zero Trust Network Access (ZTNA) tags in FortiPAM, FortiClient EMS has been added to FortiPAM as a Fabric Connector. ZTNA tags are created on FortiClient EMS and pushed to FortiPAM.
When the ZTNA tags are propagated to FortiPAM, the HA cluster starts fluctuating between synchronized and unsynchronized states.
During this period, when the secondary node becomes unsynchronized, certain ZTNA tag fields could be missing or incomplete on the secondary node.
For example: commet, obj-tag or tag-type field might be missing or incomplete on the secondary node.
FPAM-01 # show firewall address
config firewall address
edit "ZTNA_TEST_Tag"
set uuid 9a547006-0822-51f1-3506-74ef9c3e70a0
set type dynamic
set sub-type ems-tag
set comment "TEST_Tag" <----- Missing at secondary when it unsyncs.
set obj-tag "TEST_Tag" <----- Missing at secondary when it unsyncs.
set tag-type "zero_trust" <----- Missing at secondary when it unsyncs.
nextFPAM-02 # show firewall address
config firewall address
edit "ZTNA_TEST_Tag"
set uuid 9a547006-0822-51f1-3506-74ef9c3e70a00
set type dynamic
set sub-type ems-tag
next
In particular, the ZTNA tag causes FortiPAM HA instability, resulting in continuous flapping between synchronized and unsynchronized states. This is tracked under ID 1263843 and resolved in FortiPAM v1.9.0.