Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pginete
Staff
Staff

Created on ‎10-09-2025 12:54 AM

Article Id 414476

Troubleshooting Tip: VPN policy with ZTNA tag is not working

Description

This article describes how to fix the VPN policy, as the ZTNA tag is not working.
Scope

FortiGate, FortiClient EMS.
Solution

The user cannot access any local resources or the internet after connecting to the SSL VPN or dial-up IPsec VPN. FortiClient cannot connect to the EMS either.

 

SSL VPN or dial-up IPsec VPN policies are using the ZTNA tag.

 

vpn policies with ZTNA tag.png

 

Solution:

  1. Create an SSL VPN or dial-up IPsec VPN policy going to VPN DNS servers (1.1.1.1 and 8.8.8.8) without a ZTNA tag.
  2. Create an SSL VPN or dial-up IPsec VPN policy going to FortiClient EMS or FortiClient EMS cloud FQDN (forticlient-emsproxy.forticloud.com) without a ZTNA tag.

Move these firewall policies above the SSL VPN or dial-up IPsec VPN policy with ZTNA tags.
237
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.