SuperUser

Question

Auto-imported ZTNA gateway IP

Forum|Forum|6 months ago
December 3, 2025
2 replies
482 views

Hi EMS admins

FortiEMS 7.4.4, FortiOS 7.4.8.

Knowing that, starting from FortiOS 7.4.x, ZTNA gateway info and 2TNA apps are imported by EMS from FGT automatically.

The issue comes when my FGT is behind NAT, so my FGT WAN interface has a private IP.

So when I configure ZTNA server on my FGT it must have the private IP of the interface, like shown below.

The when imported automatically bu EMS, the gateway IP is the same, and it is pushed to clients as is.

So when off-fabric client's want to access a ZTNA app they us this private IP, which is not possible because they are off-fabric.

(In scenarios where the public IP is on the WAN interface all works fine).

To resolve my issue I had to manually recreate the ZTNA gateway and all ZTNA apps on EMS, which is lot of work to do just because of this IP address, because imported gateway and apps are not editable on EMS.

Do you know any simpler way to resolve it? Like is there a way to keep the auto imported info and just replace the gateway IP by the public one?

Stephen_G

Moderator

Hi AEK,

Thanks for your post - we'll look to get you an answer as soon as we can.

If anyone reading this has any ideas, feel free to contribute!

Stephen_G - Fortinet Community Team

AEKAuthor

SuperUser

Hi Stephen

Thanks for your support!

AEK

funkylicious

SuperUser

Hi AEK,

an idea would be to create 2 different ZTNA servers on the FGT ( with private and public IP as external ) and in EMS assign each one to a specific ZTNA profile ( having one for each situation, on- and off- ) depending if the client would be on-fabric or off-fabric.

"jack of all trades, master of none"

AEKAuthor

SuperUser

Hi funkylicious

Yes I think this workaround should work. However at that point if I have choice I'd still prefer the manual method.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded