Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pginete
Staff
Staff

Created on ‎04-02-2024 10:31 PM

Article Id 308103

Troubleshooting Tip: ZTNA policy is not working when using IP pool

Description

This article describes how to fix the ZTNA not working when using an IP pool.
Scope FortiGate.
Solution

Below is a sample IP pool configuration for full and Simple ZTNA policy.

 

Full ZTNA policy:

 

config firewall proxy-policy

    edit 1

        set uuid oadfsfihg3-9111-3223-e13e-nfnsafdk32

        set name "test-ztna-policy"

        set proxy access-proxy

        set access-proxy "ztna_server_http1"

        set srcintf "wan1"

        set srcaddr "all"

        set poolname "IP-pool1"

        set dstaddr "all"

        set ztna-ems-tag "Windows"

        set action accept

        set schedule "always"

        set logtraffic all

        set utm-status enable

        set ssl-ssh-profile "no-inspection"

        set comments "test"

    next

end

 

Simple ZTNA policy:

 

config firewall policy

    edit 1

        set name "test-ztna-policy"

        set uuid d23e242-2323-51eb-4908-mfkafdam32

        set srcintf "wan1"

        set dstintf "any"

        set action accept

        set srcaddr "all"

        set dstaddr "test-ztna-vip1"

        set schedule "always"

        set logtraffic all

        set nat enable

        set ippool enable

        set poolname "IP-pool1"

        set ssl-ssh-profile "no-inspection"

        set comments "test"

    next

end

 

On the ZTNA logs, the action says timeout.

 

7: date=2023-05-10 time=12:37:55 eventtime=1673375875370252428 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.1.100 srcname="ztna-client" srcport=43662 srcintf="wan1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.207 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=326 service="HTTPS" proxyapptype="http" proto=6 action="timeout" policyid=1 policytype="proxy-policy" poluuid="3fa4111a-9111-51ed-e13e-de70d4b9da58" policyname="ztna2_rule1" duration=64 gatewayid=1 vip="test-ztna-vip1" accessproxy="ztna_server_http1" clientdeviceid="07B75C6BFC144D558299C7846E543AF7" clientdeviceowner="user2" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS7_ZTNA_all_registered_clients/EMS7_ZTNA_all_registered_clients/Windows" emsconnection="online" wanin=0 rcvdbyte=0 wanout=0 lanin=1692 sentbyte=1692 lanout=32637 fctuid="07B75C6BFC144D558299C7846E543AF7" unauthuser="fosqa" unauthusersource="forticlient" appcat="unscanned"

 

Disable allow-traffic-redirect using the commands below to fix the ZTNA not working.

 

config system global

    set allow-traffic-redirect disable

end

 

Check this link for more details about simple and full ZTNA policies:

 Full versus simple ZTNA policies
Labels:
220
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.