Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff & Editor
Staff & Editor

Created on ‎12-25-2022 10:43 PM Edited on ‎08-18-2025 07:30 AM By Moderator

Article Id 240884

Technical Tip: Unable to manage FortiGate via ZTNA Access Proxy after firmware upgrade to 7.0.6 or higher

Description

 

This article explains the reason why HTTPS and SSH access to FortiGate via ZTNA Access proxy may stop working after upgrading to FortiOS version 7.0.6 or higher.

 

Scope

 

FortiGate 7.0.6+, FortiClient 7.0.0+

 

Solution

 

ZTNA Access proxy can be used to manage FortiGate via HTTPS and SSH in FortiOS versions 7.0.0 up to 7.0.5. However, there is a design change to implement support for IP Pool in ZTNA rules as Release Notes below (New Feature ID 777675):

Support ZTNA access proxy to connect backend services using IP pool and original source IPs

 

This design change will cause Access to FortiGate (HTTPS and SSH) via ZTNA Access proxy to stop working because Local Services are not allowed to be proxied.

 

If an HTTPS type of Access Proxy is used, a replacement message will be presented '403 Forbidden: incorrect proxy service'

 

CarlosColombini_1-1671996676156.png

 

For FortiClient EMS running versions lower than 7.2.1, if a TCP Forwarding type of Access Proxy is used, no replacement message is presented.
Starting with FortiClient EMS version 7.2.1, this setting can be controlled by the option 'Notify user on error' under the 'General' section when 'Advanced' option is selected.


ztna-tcp-replacement.png

 


If debug log is run with commands below, the following error message will be presented.


diagnose wad debug enable all
diagnose debug enable

[p:266][s:639][r:16777282] wad_http_req_policy_set :8928 match pid=266 policy-id=0 vd=0 in_if=3, out_if=0 192.168.101.71:52325 -> 172.16.1.15:4444
[p:266][s:639][r:16777282] __wad_http_build_replmsg_resp :620 Generating replacement message. incorrect service repmsg_id 2

 

How to configure the ZTNA Server for HTTPS access proxy in FortiGate:

 

  1. Go to Policy and Object - ZTNA and select the ZTNA Server tab.
  2. Select Create New.
  3. Give a name to the server (e.g. ZTNA-Server).
  4. Set the network settings (configure the VIP settings for the External interface mapping to the real server behind FortiGate).
    1. External interface is the interface for inbound traffic. e.g. port 2.
    2. The IP address of the external interface e.g. 100.64.0.1.
    3. The external port of the inbound traffic e.g. 9443.
  5. Add server mapping:
    1. In the Server/server mapping table, select Create New.
    2. Set Service to HTTPS.
    3. Set virtual Host to Any Host. If virtual host is set to 'specify', then only the IP address or the domain specified will match.
    4. Add a server:
      1. In the Server table, select Create New.
      2. Set the IP to the server e.g. 10.0.1.20.
      3. Set Port to the server e.g. 443.
      4. Select OK.

 kbbbb.png

 

Related article:

ZTNA HTTPS access proxy example
ZTNA TCP forwarding access proxy example

2305
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.