Description
This article refers to the issue of having a ZTNA destination rule on On-Fabric endpoints and the solution for it.
Scope
FortiGate, FortiClient EMS, ZTNA.
Solution
If there is no on-fabric detection rule in the EMS, then ALL FortiClients connected to EMS are considered as ON-Fabric devices.
The location status of the endpoint can be checked in EMS:
Navigate to Endpoints > All Endpoints
Based on endpoint profiles, it will apply the ZTNA destination profile to this endpoint and this endpoint gets the ZTNA destinations:
As described in the following KB article, the on-fabric endpoint will try to do Hairpin NAT and adjustment to the proxy policy will be required as a workaround:
Techincal Tip: ZTNA Destinations not working for On-fabric devices
For this, EMS should differentiate between off-fabric endpoints and on-fabric endpoints and based on the location, different ZTNA destination profiles must be applied. This can be done through on-fabric detection rules.
- Navigate to Endpoint Policy & Components -> On-Fabric Detection Rules.
A rule needs to be created based on various parameters to determine if the device is on-net. For example, can give the public IP of the endpoint as a parameter such as if the public IP of the endpoint matches the public IP of the HQ, then consider the device as on-fabric. Or if the default gateway of the device is on-site FortiGate’s internal interface IP, then consider the device as on-net.
Reference:
Such rule is configured below:
This rule specifies, if the device’s subnet is 10.0.0.0/24, consider it as on-fabric.
- Now, different ZTNA destination profiles need to be created for on-fabric and off-fabric endpoints:
Navigate to Endpoint Profiles -> ZTNA Destinations -> Add.
- Off-Fabric: Since the endpoint is off-fabric, it will need the ZTNA destinations for access-proxy:
- On-Fabric: As the device is on-fabric, it does not need ANY ZTNA destination:
- Additionally, the ZTNA destination column on the FortiClient application can be disabled so that the end users are not even able to see the ZTNA destination option. This can be done by disabling the EYE button in ZTNA destination Profiles: navigate to Endpoint Profiles > ZTNA Destinations -> Edit Profile -> Advanced.
- Apply the policy to the endpoints based on the location of Off-Fabric or On-Fabric:
Navigate to Endpoint Policy & Components -> Manage Policies- > Edit policy.
- Make sure to enable Profile (Off-Fabric).
- Select appropriate ZTNA destination profile to Off-fabric and On-Fabric endpoints.
- Select On-Fabric Detection Rules created in Step 1.
Once these rules are created and applied, the endpoints should be marked as On-Fabric or Off-Fabric based on the On-Fabric detection rules and have the ZTNA destination profile applied as configured above.
Observation:
- Off-Fabric device:
- On-Fabric:
Due to the EYE button in step 2.3, the FortiClient is not even showing the ZTNA Destination option on the application.
