FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ganeshcs
Staff
Staff
Description This article serves as a troubleshooting guideline when trying to identify issues between Fortigate and EMS.
Scope These guidelines are for FortiGate ZNTA telemetry, tags, and policy enforcement.
Solution

 

ganeshcs_0-1663122092802.png

 

 FortiClient to EMS server:

- Telemetry connections and Compliance verification results

EMS server to Forticlient.

- Profile push, Real time monitoring and Compliance Verification results

FortiClient EMS to FortiGate.

- Dynamic Endpoint Groups.

 

FortiClient to FortiGate

- Telemetry Connection.

 

1) Connectivity testing Between FortiGate and EMS:

 

#diagnose endpoint fctems test-connectivity <EMS>

 

- Verify FortiGate to FortiClient EMS connectivity.

 

# execute fctems verify <EMS>

 

- Verify the FortiClient EMS’s certificate:

 

# diagnose test application fcnacd 2

 

- Dump the EMS connectivity information.

 

diagnose endpoint fctems test-connectivity command shows that the connection between FortiGate and Forticlient EMS is successful. The execute fctems verify command shows that the server certificate is verified with FortiGate and the diagnose test application fcnacd 2 command dumps the FortiClient EMS connectivity information.

 

If fcnacd does not report the correct status, run real-time fcnacd debugs:

 

# diagnose debug app fcnacd -1

# diagnose debug enable

 

Run real-time FortiClient NAC daemon debugs.

 

EMS communicates to FortiGate on port 8015:

 

# diagnose sniffer packet any 'port 8015' 4 0 l

 

2) Checking dynamic tagging.

 

EMS pushes dynamic tag profiles to FortiClient and also sends the dynamic endpoint groups to the FortiGate.

 

On the EMS GUI:

 

Go to Zero Trust Tags -> Zero Trust Tag Monitor.

- This will show the Forticlient Endpoint Tag together with the client IP addresses/

- This dynamic endpoint groups should be sent to the FortiGate

 

On FortiGate:

 

# diagnose firewall dynamic list

 

List EMS ZTNA tags and all dynamic IP and MAC addresses.

 

# diagnose endpoint record list

 

Show the endpoint record list. Optionally, filter by the endpoint IP address.

 

# diagnose test application fcnacd 7

# diagnose test application fcnacd 8

 

Check the FortiClient NAC daemon ZTNA and route cache.

 

Additional fcnacd options.

 

# diag test application fcnacd
1. dump debug flag
2. dump EMS info
3. reinit fcems
4. unset report version
5. schedule host_tags call
6. set all notif
7. dump ztna cache
8. dump route cache
9. disable rest api
10. enable rest api
11. force terminate WebSocket connections
12. dump long lived socket clients
13. retry all rest-apis immediately
14. dump ztna cache info
15. dump record connection status
16. dump ZTNA entries with no connection
99. restart

 =====================================================

 

Additional debug commands for SSL-VPN/ZTNA Access proxy:

 

# diag debug application sslvpn -1
# diag debug application fnbamd -1

# diag debug ena

 

Run real-time WAD debugs.

 

# diagnose wad debug enable category all

# diagnose wad debug enable level verbose

# diagnose debug enable

 

 # diagnose endpoint wad-comm find-by uid <uid>

 

 - Query endpoints by client UID.

 

#diagnose endpoint wad-comm find-by ip-vdom <ip> <vdom>

 

- Query endpoints by the client IP-VDOM pair.

 

- WAD deamon handles proxy.

- Forticlient NAC deamon handles connectivity between Fortigate and EMS.

 

Related documents:
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/751123/ztna-configuration-examples

https://community.fortinet.com/t5/FortiGate/Technical-Tip-EMS-Connector-setup/ta-p/193869

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/317228/zero-trust-network-access

 

 

 

Contributors