ZTNA Tags IP/MAC are empty

I'm sure I mistaken somewhere.... But what is the correct way to sync/send IP and MAC address in tags to my FortiGate.

By default the EMS doesn't send ZTNA tags for devices that are off-net. You have two options here.

1. If the device is on the network then you can create on-net rules to trigger the device to be on-net status which will update the ZTNA tags.

2. You can configure EMS to send IPs for devices that are off-net. Edit the FGT in EMS (Administration > Fabric Devices) and uncheck "Filter tag IPs from specific FortiGates". The EMS will now send off-net IP addresses to the FGT. This is generally not recommended as you may get alot of off-net IP addresses for devices that are not on the network.

Hello,

I can't see option "Filter tag IPs from specific FortiGates" but here is what I share from EMS : 

It's really strange because all seems to work fine but my tags stay empty on my fortigate... 

Do you have another suggestion ? Thanks

I tried to configure an "on-net" rule but same behaviour... My tags stay empty and it drives me crazy :-)....

Maybe one important information. The FortiGate where tags are sync is not my primary default gateway. It's maybe why IP/Mac are not sync correctly. 

What I tried to do is to sync ZNAT Tags from remote client (trough VPN) : 

Remote Client -> VPN -> FortiGate (VPN, ZNAT Tags) -> Netowork (EMS, Server1, Server2, ...)

1) Is it possible to "sync" remote client IP in ZNAT trought VPN ? 

2) Is it possible to use Firewall policies based on ZNAT Tags and IP ? 

It's strange because when my device is connected trough VPN, I can see some informations in my FortiGate but not all, and my device is seen as offline...

IP Address = 192.168.0.1
MAC Address = 00:00:00:00:00:00
MAC list =
VDOM = root (0)
EMS serial number:
Client cert SN:
Public IP address: 0.0.0.0
Quarantined: no
Online status: offline
Registration status: not registered
On-net status: off-net

Thanks

After some search and as I can see, the forticlient muts be connected (as default gw) to the fortigate. So it's mybe why tags are not correct. But, why when I'm connected trough my VPN my tags are not updated ?

So after a lot of search, the "sync" problem appears only when my devices are connected trought VPN. 

So how can I sync tags and devices when they are connected trough VPN tunnel ? 

What type of VPN are you using to connect the clients? I've just tested connecting through an SSLVPN and can confirm that the tags get populated on the EMS/FGT.

Below you can see the 'linux' ZTNA tag being populated with the IP address of 10.212.134.200 which is the IP address of the client when it connects via SSLVPN:

Linux ZTNA tag on FGT populated with the SSLVPN IP addressFortiClient with Linux ZTNA tag and SSLVPN IP address

FYI in my setup I'm using the following versions:

FGT: 7.0.5

EMS: 7.0.3

FCT: 7.0.3

I tried with IPSec VPN tunnel in my case. Effectively it seems to work with SSL but why not with IPSec ?

Thanks

For the sake of complete testing, the above test was done on a FCT that was On-Net/On-Fabric. I've tested with the device Off-Net/Off-Fabric and can confirm that the IP addresses still get updated correctly.

FCT Off-Net, connecting via SSLVPN