Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎09-13-2022 10:22 PM Edited on ‎10-22-2025 02:25 AM By Moderator

Article Id 223725

Troubleshooting Tip: Troubleshooting FortiGate with FortiClient EMS

Description This article describes a troubleshooting guideline when identifying issues between FortiGate and FortiClient EMS.
Scope FortiGate ZNTA telemetry, tags, and policy enforcement.
Solution ganeshcs_0-1663122092802.png

 

  • FortiClient to EMS server: Telemetry connections and Compliance verification results.
  • EMS server to FortiClient: Profile push, Real-time monitoring, and Compliance Verification results.
  • FortiClient EMS to FortiGate: Dynamic Endpoint Groups.
  • FortiClient to FortiGate: Telemetry Connection.

 

Connectivity testing between FortiGate and FortiClient EMS:

 

diagnose endpoint fctems test-connectivity <EMS>

 

Verify FortiGate to FortiClient EMS connectivity.

 

execute fctems verify <EMS>

 

Verify the FortiClient EMS server is reachable from the Firewall. In the case when the FortiClient EMS server is connected to the Firewall using a VPN tunnel source IP needs to be configured under FortiClient EMS configuration using the command.

 

config endpoint-control fctems

    edit 1

        set server "10.10.10.1"

        set source-ip "192.168.1.1"

 

Verify the FortiClient EMS’s certificate:

 

diagnose test application fcnacd 2

 

If, for some reason, the certificate is shown as not authorized, the certificate authorization may be executed via CLI with the command below:

 

execute fctems verify 1

 

Dump the FortiClient EMS connectivity information.

 

The diagnose endpoint fctems test-connectivity command shows that the connection between FortiGate and FortiClient EMS is successful. The execute fctems verify command shows that the server certificate is verified with FortiGate, and the diagnose test application fcnacd 2 command dumps the FortiClient EMS connectivity information.

 

If fcnacd does not report the correct status, run real-time fcnacd debugs:

 

diagnose debug app fcnacd -1

diagnose endpoint filter show-large-data yes 

diagnose debug enable

 

Run real-time FortiClient NAC daemon debugs.

 

FortiClient EMS communicates to FortiGate on port 8015:

 

diagnose sniffer packet any 'port 8015' 4 0 l


In some instances, the following error may be observed, although there is bidirectional communication between FortiGate and the FortiClient EMS server from the sniffer:


Connection test had an error -1: EMS server was not reached (timeout)

 

If the FortiClient EMS server is on-prem and behind a FortiGate, review the firewall policy handling access to the server and test without UTM features.

Checking dynamic tagging.

FortiClient EMS pushes dynamic tag profiles to FortiClient and sends the dynamic endpoint groups to the FortiGate.

 

On the EMS GUI:

Go to Zero Trust Tags -> Zero Trust Tag Monitor. This will show the FortiClient Endpoint Tag together with the client IP addresses. This dynamic endpoint group should be sent to the FortiGate.

 

On FortiGate:

To check whether the users are authenticated in FortiGate:

 

diagnose firewall auth list


To check the endpoint record list:

 

diagnose endpoint record list

 

List FortiClient EMS ZTNA tags and all dynamic IP and MAC addresses.

 

diagnose firewall dynamic address

 

As of v7.4.2, the 'diagnose endpoint record list' has been changed to 'diagnose endpoint ec-shm list'.

 

Show the endpoint record list. Optionally, filter by the endpoint IP address.

 

diagnose test application fcnacd 7

diagnose test application fcnacd 8

diagnose test application fcnacd 15

diagnose firewall dynamic list

 

Check the FortiClient NAC daemon ZTNA and route cache.

 

Additional fcnacd options.

 

diagnose test application fcnacd
1. dump debug flag
2. dump EMS info
3. reinit fcems
4. unset report version
5. schedule host_tags call
6. set all notif
7. dump ztna cache
8. dump route cache
9. disable rest api
10. enable rest api
11. force terminate WebSocket connections
12. dump long lived socket clients
13. retry all rest-apis immediately
14. dump ztna cache info
15. dump record connection status
16. dump ZTNA entries with no connection
99. restart

 =====================================================

 

Additional debug commands for SSL VPN/ZTNA Access proxy:

 

diagnose debug application sslvpn -1
diagnose debug application fnbamd -1

diagnose debug ena

 

Run real-time WAD debugs.

 

diagnose wad debug enable category all

diagnose wad debug enable level verbose

diagnose debug enable

 

Stop real-time WAD debug.

 

diagnose debug disable

diagnose debug reset

 

 Query endpoints by client UID.

 

diagnose endpoint wad-comm find-by uid <uid>

 

Query endpoints by the client IP-VDOM pair.

 

diagnose endpoint wad-comm find-by ip-vdom <ip> <vdom>

 

The WAD daemon handles the proxy.

The FortiClient NAC daemon handles connectivity between FortiGate and FortiClient EMS.

 

Related documents:

Services and Ports

ZTNA configuration examples

Zero trust network access
14477
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.