Technical Tip: Unable to access ZTNA Agentless Web-Based Bookmarks

jfelix09 · ‎09-08-2025

Description

This article describes a common issue encountered when accessing ZTNA agentless web-based bookmarks on FortiGate devices running version 7.6.1 and later.

Scope

FortiGate v7.6.1 and later.

Solution

ZTNA agentless web-based application allows remote access to internal applications without the need for FortiClient or client certificate checks. In this scenario, a web portal named 'ZTNA Web' was created with a bookmark to access an HTTP server at 'http://dc.fortiad.local:80'. The configuration is available only through the FortiGate CLI:

config ztna web-portal-bookmark

edit "ZTNA web"

config bookmark

edit "http-dc"
set url "http://dc.fortiad.local:80"
next

end

After client authentication on the ZTNA agentless web portal, users can select 'http-dc' to access the HTTP resource. FortiGate redirects the client to the following address: https://web-portal.fortilab.local:23443/remote/web_service?sessionid=00000000&bmtype=portal&bmgroup=...

However, the connection fails, and the client receives an 'ERR_CONNECTION_CLOSED' error.

Recording 2025-09-05 231053.gif

Use the following WAD CLI debug commands to gather more information (replace 'x.x.x.x' with the remote client's public IP address):

diagnose debug reset

diagnose wad filter src x.x.x.x

diagnose wad debug category http

diagnose debug enable

If the 'ztna-web-portal-bookmark' contains spaces in its name (for example, 'ZTNA web'), it causes an invalid URL error when building the HTTP response. Consequently, the client will receive the 'ERR_CONNECTION_CLOSED' error. The WAD debug logs will show an invalid URL error.

-------- [wad debugs] --------

[...]

[I][p:2328][s:2443][r:109] wad_dump_http_request :3068 hreq=0x7f860991d048 Received request from client: 10.5.147.84:59825

GET /remote/web_service?sessionid=00000000&bmtype=portal&bmgroup=ZTNA%20web&bmname=http-dc HTTP/2.0

[...]

[I][p:18986][s:4944056][r:1898] wad_http_str_canonicalize :2468 end=4 path=sessionid=00000000&bmtype=portal&bmgroup=ZTNA web&bmname=http-dc

len=82 changes=4

[...]

[W][p:18986][s:4944056][r:1898] __wad_http_build_redir_resp :1274 Invalid URL: https://dc.fortiad.local:23443/XX/YY/ZZ/webservice?bmgroup=ZTNA web&bmname=http-dc&cookie=2A308D5E2C6C0F7CBD084A03F7FA89FF

[...]

[E][p:18986][s:4944056] wad_h2_1way_port_read_sync :5494 h2s=0x7f002aa78988,10.5.147.84:58570(10.5.147.84:58570)->10.5.147.78:23443 strm_id=00097,>>,len=002
77,headers,flags:END_STRM|END_HDRS|PRIO,exec=invalid/unknown stopped, input_len=0

-------- [wad debugs] --------

If 'ztna-web-portal-bookmark' has no spaces in the name, it is possible to access the web server via the ZTNA agentless portal. Use the following CLI commands to rename the ZTNA web portal:

config ztna-web-portal-bookmark

rename "ZTNA web" to "ZTNA-web-portal"

end

-------- [wad debugs] --------

[...]

[I][p:18986][s:4964699][r:1955] wad_http_str_canonicalize :2468 end=4 path=sessionid=00000000&bmtype=portal&bmgroup=ZTNA-web-portal&bmname=http-dc

len=82 changes=0

[...]

[V][p:18986][s:4964699][r:1955] wad_http_req_exec_act :13589 response is ready!

-------- [wad debugs] --------

Avoid using spaces in ztna web portal feature names, use the '-' or '_' instead: Technical Tip: Naming rules and character restrictions.

Always stop the debugs:

diagnose debug reset

Related documents:

ZTNA agentless web-based application access (7.6.1)
Technical Tip: How to configure Agentless ZTNA with FortiGate v7.6

Technical Tip: Unable to access ZTNA Agentless Web-Based Bookmarks

You are leaving our website