1. Check with 'diagnose test application fcnacd 7' to confirm if there are user details shown. In this case, the user details are missing as below:

• UID: 9D8B00xxxxxxxxxxxxxxxxxxxxxxx
• EMS Fabric ID: FCTEMSxxxxxxx:00000000000000000000000000000000
• Domain:
• User:
• Owner:
• Certificate SN:

2. Verify 'diagnose wad dev query-by uid <uid> <EMS Serial number> 00000000000000000000000000000000'.
   
   
3. If the output shows null, it means the FortiGate cannot communicate with the FortiClient EMS using the Security Fabric connector or there is no record of this endpoint in the FortiClient EMS.
   
   
4. In this situation, try disabling the EMS connector, deleting the FortiGate from FortiClient EMS Fabric devices if not done automatically, then re-enabling the connector and reauthorizing it.
   
   
5. If the issue is still there, there may be a stale/corrupt entry in FortiGate CMDB that may be causing the issue. To resolve that, disable the EMS connector from current ID, and configure it on another available ID.
   
   
6. Remove the ZTNA Tags from firewall policies, and delete the ones associated with the previous EMS ID with the command below: diagnose endpoint tags remove-by-id.
   
   
7. Add the correct ZTNA tags that are associated with the new EMS Connector to the proxy policy.
   
   
8. In certain configurations, it is recommended to use the Full ZTNA policy instead of the Simple ZTNA policy. The Full ZTNA policy provides more granular access control by allowing decisions based on the destination interface or the real server’s destination address - capabilities that are limited or unavailable in the Simple ZTNA policy. Refer to FortiGate 7.4.0 new features for more information. 
   
   
9. If using older version like 7.2.x, restarting processes like fcnacd and wad can also help resolve the issue. Technical Tip: How to restart/kill one or several processes on the FortiGate with CLI commands. Technical Tip: Using the 'diagnose sys top' CLI command.

For example: if the process ID for fcnacd is 172 and that for wad is 186 (found from diag sys top command), the following commands can be run to restart both processes:

diagnose sys kill <signal> <process ID>

diagnose sys kill 11 172

diagnose sys kill 11 186

10. The endpoint information must be in the 'matched endpoints' and 'resolved addresses' lists:

If the endpoint is not listed in 'matched endpoints', check if 'set pull-sysinfo' is enabled under 'config endpoint-control fctems' (it must be enabled):

config endpoint-control fctems

    edit <EMS_Entry>

        set pull-sysinfo enable (Enabled by default.)

    next

end

If the endpoint is not listed in 'resolved addresses', it can be resolved by applying a change on the EMS server: Technical Tip: How to check the resolved addresses of ZTNA Tags in FortiGate.