Skip to main content
BrokenInternet
BrokenInternet
New Member
March 15, 2026
Question

ZTNA Cross site Tags

  • March 15, 2026
  • 1 reply
  • 285 views

I have ZTNA setup on a Fortigate, devices that connect through the ZTNA setup can reach everything they are suppose to on that Fortigate, where proxy policies use the EMS tags. 

 

I have an ipsec tunnel to another site and can route the proxy traffic to it. 

 

The EMS server is sharing all clients to all connected devices, but i can't use the tags on Site Bs firewall policies, because it only sees the clients external IP if i have transparent mode on or my WAN IP on site A if i don't. But neither of those are an ip the client has a tag for.

 

I want to maintain a single fw rule, so that when clients are on site A, the same tags give them access as when they connect through ZTNA server on site A. The on site A works, because the IP matches what the client has. 

 

Is there anyway for the FW rule on site B to see this traffic is coming from a client from site A that matches the tag in the firewall rule? 

1 reply

AEK
SuperUser
AEK
SuperUser
March 16, 2026

You have set "FortiClient Endpoint Sharing" to "Share all FortiClients" for both FGT devices, right?

Which, FortiOS, EMS and FortiClient versions are you using?

AEK
BrokenInternet
BrokenInternetAuthor
New Member
March 16, 2026

Yes, it's set to share all forticlients. 

But the ip the client has doesn't match the address that the other firewall sees when connecting through the ZTNA proxy, so it can't match the known clients with the EMS tags set on the rule. 

 

If i disable NAT, it sees my clients public address and can't match that.

 

If i set an IP pool on the ZTNA server, the client doesn't ever get the actual IP, the other firewall just sees that address. 

 

FortiOS 7.6.6, EMS 7.4.5 and client 7.4.5

AEK
SuperUser
AEK
SuperUser
March 16, 2026

I think this is expected behavior. It is not only a matter of IP, since the client is behind a proxy (ZTNA proxy rule), the client's TLS session and/or client certificate is not visible by FGT-B, so FGT-B has no way to distinguish the client.

As possible solution, I'd use tags for filtering only on the proxy policy on FGT-A, because I don't find it necessary to filter twice using tags.

In case you really need to filter using tags on FGT-B, then the idea would be to avoid using proxy policy on FGT-A, probably by using VIP and firewall policy (ZTNA or regular) on FGT-A.

AEK
Terms & ConditionsAccessibility statement