Technical Tip: How to get all endpoint IP details to FortiGate by ZTNA Tagging

FortiClient EMS Shares endpoint IP and MAC address to FortiGate by ZTNA Tag. But while listing the endpoint IP and Mac address on the Firewall endpoint default gateway should point to the desired Firewall.

Client default gateway address must be FortiGate or the Client should be connected to FortiGate by VPN tunnel.

Related document:

FortiOS dynamic policies using EMS dynamic endpoint groups 

To see all endpoint details on the FortiGate, switch the following option from EMS: EMS -> Administration -> Fabric Devices -> Edit Fabric Device -> Switch 'FortiClient Endpoint Sharing (for IP/Mac NAC use only)' option to 'Share all FortiClients'.

Fabric Device FortiGate FortiClient Endpoint Sharing

Then navigate to FortiGate -> Policy & Objects ->  ZTNA -> ZTNA Tags and check resolved Addresses for the desired tag.

In the screenshot, the endpoint is not connected to the VPN, and the default Gateway does not point to the FortiGate but the endpoint IP addresses listed under the ZTNA tag.

Endpoint details

Tag details on FortiGate

For checking IP details in CLI:

diagnose firewall dynamic list