Created on
08-02-2023
10:39 PM
Edited on
01-31-2024
06:11 AM
By
Jean-Philippe_P
This article describes the reason why a firewall policy with ZTNA type may not work as expected.
FortiGate v7.2.5 and v7.4.0, SD WAN, ZTNA Tags, Firewall policy ZTNA type.
Starting with FortiOS 7.2.5 and 7.4.0, a ZTNA Server (VIP) can be used as a destination in a forward firewall policy as described in the document below:
Introduce simplified ZTNA rules within firewall policies.
Additionally, it is possible to redirect traffic that matches a firewall policy ZTNA type to a proxy-policy ZTNA type with the command # set ztna-policy-redirect enable, which is also described in the document above.
However, a known issue investigated by Development may be triggered if the external interface configured in the ZTNA Server (access proxy VIP) is a member of an SD WAN Zone.
If this criterion is met, traffic will fail to match this firewall policy. To illustrate, see the example below:
From 'ZTNA Traffic' logs under 'Log & Report', an entry will be recorded that a policy is not matched.
Workaround.
There are a couple of alternative solutions until a permanent solution is released in future versions.
Method 1: Disable the firewall policy that is configured in ZTNA mode and create a proxy policy.
The example below will have the same effect as the firewall policy previously mentioned.
From 'ZTNA Traffic' logs under 'Log & Report', an entry will be recorded that policy traffic was allowed and proxy policy matched.
Method 2: Remove the ZTNA Tag from the firewall policy, enable redirection to the proxy policy, and create a proxy policy.
If desired for administrative purposes, the firewall policy may be kept enabled. The ZTNA Tag must be removed from the firewall policy ZTNA type but can be held in a proxy policy. The policy redirection must be enabled from CLI as per the command below.
config firewall policy
edit <id>
set ztna-policy-redirect {enable | disable}
next
end
From CLI, the previous policy will look like below.
config firewall policy
edit 116
set name "DC1-ZTNA-SDWAN"
set uuid 49409ff4-3134-51ee-ef23-1bffec1f25c9
set srcintf "virtual-wan-link"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "Colombas"
set schedule "always"
set service "ALL"
set utm-status enable
set ztna-policy-redirect enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "Development-AV"
set ips-sensor "g-default"
set logtraffic all
next
end
A similar entry will be recorded since the proxy policy is the one processing the traffic that was redirected by the firewall policy.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.