Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kgeorge
Staff
Staff

Created on ‎09-24-2025 03:24 AM

Article Id 412222

Technical Tip: ZTNA Denied when accessing some server

Description

 

This article explains how to troubleshoot when there is ZTNA Denied message in the Flow Debug while accessing the Internal Server, and there is no ZTNA Server configured.

 

Scope

 

FortiGate, FortiSASE, FortiClient EMS, ZTNA.

 

Solution

 

There might be a situation where the ZTNA Server has been configured in the past, and its related configurations are removed from the GUI of FortiGate. However, when accessing the same Server configured via Virtual IP with Port Forwarding later, the traffic fails with 'ZTNA Denied' in the Flow Debug.

 

Sample of Flow Debug outputs below:

 

FG-CME-1 # id=65308 trace_id=222 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 172.17.0.231:49153->x.x.x.x:1515) tun_id=0.0.0.0 from port2. flag [S], seq 3267327961, ack 0, wi
n 64240"
id=65308 trace_id=222 func=init_ip_session_common line=6136 msg="allocate a new session-003424f2"
id=65308 trace_id=222 func=vf_ip_route_input_common line=2612 msg="find a route: flag=80000000 gw-x.x.x.x via root"
id=65308 trace_id=222 func=fw_local_in_handler line=560 msg="ZTNA denied."
id=65308 trace_id=223 func=print_pkt_detail line=5938 msg="vd-root:0 received a packet(proto=6, 172.17.4.95:53573->x.x.x.x:1515) tun_id=0.0.0.0 from port2. flag [S], seq 1703329557, ack 0, win 64240"
id=65308 trace_id=223 func=init_ip_session_common line=6136 msg="allocate a new session-003424f4"
id=65308 trace_id=223 func=vf_ip_route_input_common line=2612 msg="find a route: flag=80000000 gw-x.x.x.x via root"

 

The x.x.x.x is an external IP configured in the VIP object.

 

Apparently, the traffic to the External IP would be seen going out via the same External IP as the Gateway IP and Interface, with 'root' as the default, which is not normal.

 

The Routing Table details for the External IP would be seen connected directly to 'root', which indicates that there is no route for that IP.

 

The cause of this is that the ZTNA Server configuration would still exist in FortiGate; however, it cannot be seen on the GUI after the Zero Trust Network Access feature is disabled under System -> Feature Visibility.

 

The ZTNA Server configuration will be reflected in FortiGate as a VIP Object; hence, it can be viewed via CLI using the command 'config firewall vip'

 

Deleting the ZTNA Server entry from the 'config firewall vip' will fix this issue. The routing for the external IP will get updated, and the traffic will be seen going out via the intended interface with its IP as the Gateway.

 

Note

To view and delete the ZTNA Server details from the GUI, the Zero Trust Network Access feature can be enabled under System -> Feature Visibility

147
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.