| Description | This article describes a troubleshooting guideline when identifying issues between FortiGate and FortiClient EMS. |
| Scope | FortiGate ZNTA telemetry, tags, and policy enforcement. |
| Solution | 
Connectivity testing between FortiGate and FortiClient EMS:
diagnose endpoint fctems test-connectivity <EMS>
Verify FortiGate to FortiClient EMS connectivity.
execute fctems verify <EMS>
Verify the FortiClient EMS server is reachable from the Firewall. In the case when the FortiClient EMS server is connected to the Firewall using a VPN tunnel source IP needs to be configured under FortiClient EMS configuration using the command.
config endpoint-control fctems edit 1 set server "10.10.10.1" set source-ip "192.168.1.1"
Verify the FortiClient EMS’s certificate:
diagnose test application fcnacd 2
If, for some reason, the certificate is shown as not authorized, the certificate authorization may be executed via CLI with the command below:
execute fctems verify 1
Dump the FortiClient EMS connectivity information.
The diagnose endpoint fctems test-connectivity command shows that the connection between FortiGate and FortiClient EMS is successful. The execute fctems verify command shows that the server certificate is verified with FortiGate, and the diagnose test application fcnacd 2 command dumps the FortiClient EMS connectivity information.
If fcnacd does not report the correct status, run real-time fcnacd debugs:
diagnose debug app fcnacd -1 diagnose endpoint filter show-large-data yes diagnose debug enable
Run real-time FortiClient NAC daemon debugs.
FortiClient EMS communicates to FortiGate on port 8015:
diagnose sniffer packet any 'port 8015' 4 0 l
If the FortiClient EMS server is on-prem and behind a FortiGate, review the firewall policy handling access to the server and test without UTM features. Checking dynamic tagging. FortiClient EMS pushes dynamic tag profiles to FortiClient and sends the dynamic endpoint groups to the FortiGate.
On the EMS GUI: Go to Zero Trust Tags -> Zero Trust Tag Monitor. This will show the FortiClient Endpoint Tag together with the client IP addresses. This dynamic endpoint group should be sent to the FortiGate.
On FortiGate: To check whether the users are authenticated in FortiGate:
diagnose firewall auth list
diagnose endpoint record list
List FortiClient EMS ZTNA tags and all dynamic IP and MAC addresses.
diagnose firewall dynamic address
As of v7.4.2, the 'diagnose endpoint record list' has been changed to 'diagnose endpoint ec-shm list'.
Show the endpoint record list. Optionally, filter by the endpoint IP address.
diagnose test application fcnacd 7 diagnose test application fcnacd 8 diagnose test application fcnacd 15 diagnose firewall dynamic list
Check the FortiClient NAC daemon ZTNA and route cache.
Additional fcnacd options.
diagnose test application fcnacd =====================================================
Additional debug commands for SSL VPN/ZTNA Access proxy:
It is recommended to filter SSL VPN logs with source public IP of the client. Replace the 'x.x.x.x' with the public IP of the test client.
diagnose debug application sslvpn -1 diagnose vpn ssl debug-filter src-addr4 x.x.x.x diagnose debug enable
Run real-time WAD debugs: WAD debug logs can generate large volumes of output and debug lines, which may impact device performance. It is highly recommended to use as many filters as possible in order to selectively limit the logs generated by the WAD daemon.
diagnose wad debug enable category all diagnose wad filter src x.x.x.x diagnose wad filter dst y.y.y.y diagnose wad debug enable level verbose diagnose wad filter list diagnose wad debug show diagnose debug enable
Stop the real-time WAD debugging process.
diagnose debug disable diagnose debug reset
Query endpoints by client UID:
diagnose endpoint wad-comm find-by uid <uid>
Query endpoints by the client IP-VDOM pair.
diagnose endpoint wad-comm find-by ip-vdom <ip> <vdom>
The WAD daemon handles the proxy. The FortiClient NAC daemon handles connectivity between FortiGate and FortiClient EMS.
Related documents: |
