Description |
This article describes how to fix the ZTNA not working when using an IP pool. |
Scope | FortiGate. |
Solution |
Below is a sample IP pool configuration for full and Simple ZTNA policy.
Full ZTNA policy:
config firewall proxy-policy edit 1 set uuid oadfsfihg3-9111-3223-e13e-nfnsafdk32 set name "test-ztna-policy" set proxy access-proxy set access-proxy "ztna_server_http1" set srcintf "wan1" set srcaddr "all" set poolname "IP-pool1" set dstaddr "all" set ztna-ems-tag "Windows" set action accept set schedule "always" set logtraffic all set utm-status enable set ssl-ssh-profile "no-inspection" set comments "test" next end
Simple ZTNA policy:
config firewall policy edit 1 set name "test-ztna-policy" set uuid d23e242-2323-51eb-4908-mfkafdam32 set srcintf "wan1" set dstintf "any" set action accept set srcaddr "all" set dstaddr "test-ztna-vip1" set schedule "always" set logtraffic all set nat enable set ippool enable set poolname "IP-pool1" set ssl-ssh-profile "no-inspection" set comments "test" next end
On the ZTNA logs, the action says timeout.
7: date=2023-05-10 time=12:37:55 eventtime=1673375875370252428 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.1.100 srcname="ztna-client" srcport=43662 srcintf="wan1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.207 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=326 service="HTTPS" proxyapptype="http" proto=6 action="timeout" policyid=1 policytype="proxy-policy" poluuid="3fa4111a-9111-51ed-e13e-de70d4b9da58" policyname="ztna2_rule1" duration=64 gatewayid=1 vip="test-ztna-vip1" accessproxy="ztna_server_http1" clientdeviceid="07B75C6BFC144D558299C7846E543AF7" clientdeviceowner="user2" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS7_ZTNA_all_registered_clients/EMS7_ZTNA_all_registered_clients/Windows" emsconnection="online" wanin=0 rcvdbyte=0 wanout=0 lanin=1692 sentbyte=1692 lanout=32637 fctuid="07B75C6BFC144D558299C7846E543AF7" unauthuser="fosqa" unauthusersource="forticlient" appcat="unscanned"
Disable allow-traffic-redirect using the commands below to fix the ZTNA not working.
config system global set allow-traffic-redirect disable end
Check this link for more details about simple and full ZTNA policies: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.