Description
This article explains the reason why HTTPS and SSH access to FortiGate via ZTNA Access proxy may stop working after upgrading to FortiOS version 7.0.6 or higher.
Scope
FortiGate 7.0.6+, FortiClient 7.0.0+
Solution
ZTNA Access proxy can be used to manage FortiGate via HTTPS and SSH in FortiOS versions 7.0.0 up to 7.0.5. However, there is a design change to implement support for IP Pool in ZTNA rules as Release Notes below (New Feature ID 777675):
Support ZTNA access proxy to connect backend services using IP pool and original source IPs
This design change will cause Access to FortiGate (HTTPS and SSH) via ZTNA Access proxy to stop working because Local Services are not allowed to be proxied.
If an HTTPS type of Access Proxy is used, a replacement message will be presented '403 Forbidden: incorrect proxy service'
For FortiClient EMS running versions lower than 7.2.1, if a TCP Forwarding type of Access Proxy is used, no replacement message is presented.
Starting with FortiClient EMS version 7.2.1, this setting can be controlled by the option 'Notify user on error' under the 'General' section when 'Advanced' option is selected.
If debug log is run with commands below, the following error message will be presented.
diagnose wad debug enable all
diagnose debug enable
[p:266][s:639][r:16777282] wad_http_req_policy_set :8928 match pid=266 policy-id=0 vd=0 in_if=3, out_if=0 192.168.101.71:52325 -> 172.16.1.15:4444
[p:266][s:639][r:16777282] __wad_http_build_replmsg_resp :620 Generating replacement message. incorrect service repmsg_id 2
Related article:
ZTNA HTTPS access proxy example
ZTNA TCP forwarding access proxy example
