Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SAJUDIYA
Staff
Staff

Created on ‎01-03-2024 09:49 PM Edited on ‎09-29-2025 11:13 AM By Moderator

Article Id 292350

Troubleshooting Tip: ZTNA traffic denied because of failed to match a proxy-policy

Description

This article describes that ZTNA policy does not match after configuring the ZTNA firewall or proxy policy with ZTNA Tags:
'Policy restriction! No policy matched! No end-point info found'.

 

diagnose wad dev query-by uid <uid> <EMS Serial number> 00000000000000000000000000000000 <----- The output may take 20 seconds to be displayed with only the text 'Response termination due to no more data'.
Scope FortiGate v7.0 and above.
Solution
  1. Check with 'diagnose test application fcnacd 7' to confirm if there are user details shown. In this case, the user details are missing as below:
  • UID: 9D8B00xxxxxxxxxxxxxxxxxxxxxxx
  • EMS Fabric ID: FCTEMSxxxxxxx:00000000000000000000000000000000
  • Domain:
  • User:
  • Owner:
  • Certificate SN:

 

  1. Verify 'diagnose wad dev query-by uid <uid> <EMS Serial number> 00000000000000000000000000000000'.

  2. If the output shows null, it means the FortiGate cannot communicate with the FortiClient EMS using the Security Fabric connector or there is no record of this endpoint in the FortiClient EMS.

  3. In this situation, try disabling the EMS connector, deleting the FortiGate from FortiClient EMS Fabric devices if not done automatically, then re-enabling the connector and reauthorizing it.

  4. If the issue is still there, there may be a stale/corrupt entry in FortiGate CMDB that may be causing the issue. To resolve that, disable the EMS connector from current ID, and configure it on another available ID.

  5. Remove the ZTNA Tags from firewall policies, and delete the ones associated with the previous EMS ID with the command below: diagnose endpoint tags remove-by-id.

  6. Add the correct ZTNA tags that are associated with the new EMS Connector to the proxy policy.

  7. In certain configurations, it is recommended to use the Full ZTNA policy instead of the Simple ZTNA policy. The Full ZTNA policy provides more granular access control by allowing decisions based on the destination interface or the real server’s destination address - capabilities that are limited or unavailable in the Simple ZTNA policy. Refer to FortiGate 7.4.0 new features for more information. 

  8. If using older version like 7.2.x, restarting processes like fcnacd and wad can also help resolve the issue. Technical Tip: How to restart/kill one or several processes on the FortiGate with CLI commandsTechnical Tip: Using the 'diagnose sys top' CLI command.

 

e.g. if the process ID for fcnacd is 172 and that for wad is 186 (found from diag sys top command), the following commands can be run to restart both processes:

 

diag sys kill <signal> <process ID>

diag sys kill 11 172

diag sys kill 11 186
5777
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.