Visitor III

Solved

Fortigate ZTNA Tag added in policy, SSLVPN cannot access local LAN

Forum|Forum|4 years ago
April 7, 2022
3 replies
15585 views

Dear All

I just purchased EMS last week and setup finished, everything seems fine at EMS server. I want to use EMS ZTNA to control SSLVPN user who only match zero trust tag can access lan server. When I added the tag make my SSLVPN cannot access my Local LAN, removed it everything is fine. Any step I am missing or incorrect setup ?

Resolved Address can see my vpn ip

View matched endpoint can see my laptop, but it still show 0 when I move the mouse on it.

Firewall policy added tag - cannot access lan server

Removed tag everything fine

Connection is ok

I can view all zero trust tag at EMS portal

Creat new tag "Test" and fortigate also can show up

Best answer by Debbie_FTNT

To see the tags on the client itself, you have to enable this in the EMS profile for the endpoint under Advanced > System Settings:

But that only makes the tags visible on the endpoint, so you can verify there that it has the tags.

The policy being applied or not is still up to the FortiGate.
If you have all that configuration in place but the issue persists, I would suggest opening a ticket with Technical Support to get some more in-depth assistance, beyond what I can offer in the Forums here.

Debbie_FTNT

Staff & Editor

Hey lamkayiu,

you can use EMS tags on VPN policies.

However, you need to make sure the following is in place:
-> the EMS tag is associated with the tunnel IP, not only the local LAN IP of the client

-> If you have no split-tunneling, the FortiClient must be able to reach EMS through VPN tunnel

I have a functioning setup with the following:

- one policy from VPN to DNS and no tag (client needs to be able to resolve EMS FQDN before reaching EMS)
- one policy from VPN to EMS and no tag (client needs to connect to EMS first through VPN tunnel before getting updated tags)

- one default policy from VPN to local LAN and tags set

If FortiGate does not associate the tunnel IP with the tags (and it can only do that when EMS associates the tags with tunnel IP as well), then no access is possible.

lamkayiuAuthor

Visitor III

Hi Debbie

I had tried both full access and split, same result.

Any capscren for below setup ? I am very new in fortigate.

- one policy from VPN to DNS and no tag (client needs to be able to resolve EMS FQDN before reaching EMS)

VPN to DNS , what is the outgoing interface ?
- one policy from VPN to EMS and no tag (client needs to connect to EMS first through VPN tunnel before getting updated tags)

Same as above, what is the outgoing interface ?

abc

New Member

Are you sure this works. We are trying to do the same thing and having the exact same issue.

I can see the tag has applied fine to the client using the tunnel IP but no traffic is being allowed.

There are polices above this that allow EMS traffic along with dns etc.

I have even tried a generic tag that matches all machines. The machine in question shows up in the list but still can't access resources.

lamkayiuAuthor

Visitor III

Hi

We are still keep trying but still not fix this issue, how about you ?

Debbie_FTNT

Staff & Editor

Some screenshots from my lab:
policies (the third one with VPN tag):

win-server-2016 (10.0.0.200) is hosting the EMS

win-server-2019 (10.0.0.254) is a DNS server (to resolve EMS hostname to EMS IP)

Endpoint and Tag:

traffic through policy 11 (ping from vpn client to 10.0.0.254):

I do have to wait a minute or two for EMS to have the updated client IP after VPN is established; then my VPN client is able to access resources through a policy with tags.

martin28

New Member

Hello,

It is a known bug that forticlient cannot get VPN IP address correctly, we will have to wait for another release to fix this bug.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded