FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that ZTNA policy does not match after configuring the ZTNA firewall or proxy policy with ZTNA Tags: 'Policy restriction! No policy matched! No end-point info found'.
diagnose wad dev query-by uid <uid> <EMS Serial number> 00000000000000000000000000000000 <----- The output may take 20 seconds to be displayed with only the text 'Response termination due to no more data'.
Scope
FortiGate v7.0 and above.
Solution
Check with 'diagnose test application fcnacd 7' to confirm if there are user details shown. In this case, the user details are missing as below:
Verify 'diagnose wad dev query-by uid <uid> <EMS Serial number> 00000000000000000000000000000000'.
If the output shows null, it means the FortiGate cannot communicate with the FortiClient EMS using the Security Fabric connector or there is no record of this endpoint in the FortiClient EMS.
In this situation, try disabling the EMS connector, deleting the FortiGate from FortiClient EMS Fabric devices if not done automatically, then re-enabling the connector and reauthorizing it.
If the issue is still there, there may be a stale/corrupt entry in FortiGate CMDB that may be causing the issue. To resolve that, disable the EMS connector from current ID, and configure it on another available ID.
Remove the ZTNA Tags from firewall policies, and delete the ones associated with the previous EMS ID with the command below: diagnose endpoint tags remove-by-id.
Add the correct ZTNA tags that are associated with the new EMS Connector to the proxy policy.
