FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that it is necessary to enable 'client-cert' when configuring tags in the proxy policy.
Scope
FortiGate, ZTNA.
Solution
When using tags in the proxy policy, make sure to enable the 'client-certificate'. If the client-cert is disabled, ZTNA users will not match the proxy policy with tags, resulting in denied access to ZTNA servers.
Additionally, disabling client-cert prevents Access-Proxy from obtaining the endpoint identification (UUID). Without the UUID, no device-info query will be sent, and without device-info (including tags), the proxy policy configured with EMS tags will not be matched.
config firewall access-proxy edit "name" <----- ZTNA server name. set client-cert enable <-----
