Visitor III

Question

Forticlient - ZTNA Connection Rules is missing

Forum|Forum|3 years ago
September 8, 2022
8 replies
12507 views

Hi,

have an issue with a newly configured EMS and Forticlient solution. On the Forticlient we are missing the "ZTNA Connection Rules" tab and when we configure a ZTNA Destination in EMS it doesn´t work or shows up in the hosts file. The ZTNA Destination profile also includes to allow personal

We have also configured the ZTNA Server in the Fortigate, connected it to the fabric and verified licensing ("Zero Trust Access: Included").

The endpoint have a ZTNA Serial Number, endpoint and the ZTNA features is installed.

Have anyone experienced this issue before?

Image of the Forticlient

Thanks!

amouawad

Staff

Just to confirm, do you have the ZTNA profile enabled? It won't show on the endpoints if it's not enabled:

Also confirm that the policy has the correct ZTNA policy configured.

esecAuthor

Visitor III

Confirm that both are enabled and configured.

Also verified by downloading the XML that the ZTNA configuration exist:

R_F

Explorer

Had a similar issue before. using FortiEMS 7.0.6 ZTNA tab is not visible to my endpoint installed with FortiClient. As part of my troubleshooting while waiting for a reply from Fortinet TAC, I downloaded my FortiClient to 7.0.5 and ZTNA tab displayed to my endpoint.

Per Fortinet TAC internal research, he mentioned that "EMS 7.0.6 starts checking for ZTNA license to enable ZTNA feature. If you use Fabric Agent license, ZTNA feature will not work."

Part of the issue, I am using Fabric Agent license and I need to convert my license to ZTNA.

esecAuthor

Visitor III

Thanks! That was promising, but unfortunately it didn´t work with 7.0.5 :(

The licensing is as below and looks correct to me?

Endpoint Protection & Cloud Sandbox
Enhanced Support
Firmware & General Updates
FortiClient ZTNA Agent
Telephone Support

reconnecting_FTNT

Staff

Had this same problem. In EMS, under Deployment & Installers > FortiClient Installer I had to add the ZTNA Network Access feature at the very bottom of the list. Saved the installer, downloaded the new installer to the client, ran, rebooted and it showed up.

minusnine

New Member

I had this same problem with the latest EMS.

If you open your ZTNA Destinations Profile - Select Advanced and you'll see the following "EYE" icon - this sets whether the tab is visible in the client.

R_F

Explorer

would you mind raising a ticket to TAC for further investigation?

funkylicious

SuperUser

Hi,
I'm running a trial EMS 7.0.7 in my lab and had the same issue, in FortiClient 7.0.6 - 7.0.7 : ZTNA Connection Rules were not visible. Installed 7.0.5 and they appeared.

After that, I tried converting my EMS license in the portal and re-synced the EMS with the FortiCloud account or you can import the newly generated license file, installed FCT 7.0.7 and ZTNA Destination appeared.

"jack of all trades, master of none"

sklotz

Explorer

Just for your reference, same issue here with version 7.0.9.
I can at least confirm the above mentioned behavior-change starting with version 7.0.6, because with down-grading to version 7.0.5 the ZTNA Connections Rules will be displayed in FortiClient correctly. But it's still not working here as well.

But I can see now traffic hitting the FortiADC (yes we are not working with a FortiGate in our PoC). WIth version 7.0.9 nothing was hitting the FortiADC, so it's really not only not visible in FortiClient, but definitely not working.

In Wireshark this looks like this:

UPDATE:

Traffic is also visible on the serverside of the ADC, but here RDP-server is resetting the connection:

Any further ideas?

Thank you!

Regards Stefan :)

vietleanz_FTNT

Staff

If the ZTNA Destinations Profile enabled but the Eye icon is blur, try to disable the Profile and enable again to see clear Eye icon, it should work as long as ZTNA License is valid.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded