In this scenario, the ZTNA tags are synchronized in FortiClient EMS and FortiClient endpoint but fail to synchronize in FortiGate.

1. Check the FortiClient EMS Connector status. On FortiGate, navigate to Security Fabric -> Fabric Connectors -> FortiClient EMS. 

2. Check the status of FortiGate in FortiClient EMS. On FortiClient EMS, navigate to Administration -> Fabric Devices. FortiGate should show authorized. 

3. Check the ZTNA tags in FortiClient EMS, FortiClient endpoint, and FortiGate.

On FortiClient EMS, it shows that both the internal and external endpoints are tagged by ZTNA as 'Windows'.

On the FortiClient endpoint, the external client is tagged by ZTNA as 'Windows'.

On FortiGate, the ZTNA tags are not synchronized. It only shows the internal endpoint 10.230.3.17 tagged by ZTNA.

To resolve the issue, activate 'Share all FortiClients' in FortiClient EMS under Administration -> Fabric Devices so the FortiGate will receive ZTNA host tags for all endpoints, regardless of their gateway.

On FortiClient EMS, go to Administration -> Fabric Devices and select the Edit icon.

On FortiClient Endpoint Sharing, select 'Share all FortiClients' and select Update to save.

On the external endpoint, on FortiClient -> Zero Trust Telemetry, disconnect from FortiClient EMS, then reconnect to EMS.

Upon syncing, the ZTNA tag for both the internal 10.230.3.17 and external endpoint 10.47.17.179 should synchronized in FortiGate.