FortiClient ZTNA

Forum|Forum|1 year ago
February 20, 2025
2 replies
1445 views

We recently deployed ZTNA via FortiClient/FortiClient EMS and we can now access internal resources without connecting to SSL or IPSEC VPN which is really slick. However, we are interested in being able to access resources behind a site-to-site VPN tunnel that exists on the Fortigate. From what I can tell, this doesn't seem to be possible or has anyone found a way to get this to work?

FortiGate

AEK

SuperUser

Yes it is possible, I remember we could achieve it one day.

But can you remind me what is the problem exactly?

AEK

SuperUser

As far as I remember we discovered that the ZTNA traffic was forwarded by FGT using the mgmt interface's IP address, even if our mgmt interface was link down (unused).

There was no way to NAT the traffic from the proxy rule (type:ZTNA).

Tried to assign an IP address to the IPsec tunnel but FGT still always use mgmt IP.

Tried to change mgmt IP to 0.0.0.0 and forced it down then FGT used WAN IP! Can't understand how it is designed.

The only workaround we found is to set IP address of mgmt interface to a valid IP address, then on the other tunnel side we just added a route back towards that IP through the tunnel. And that's it, it worked just fine.

Hope it helps.

AEK

BJ_Prakash_Ghising

New Member

Hi @AEK

That's the expected behavior. If a tunnel does not have an IP address assigned, it takes the IP address of the interface with the lowest index number.

AEK

SuperUser

Hi Prakash

But as far as I remember I already tried to set an IP for the tunnel and it didn't work.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded