When configuring FortiPAM with multiple access proxies, APPROVAL_LINK in the email template will always refer to the first access proxy VIP.

For example, configure the multiple access proxy as follows: ZTNA-based FortiPAM access control

Configure the email template and email approval feature in FortiPAM, follow the document below: Approval email template

When approver (from a non-ZTNA machine) selects the 'Approve' button in the email, it will redirect to the first access proxy external IP and getting denied.

This is because the 'Approve' button, which links to the variable %%APPROVAL_LINK%%  in the email template, will by default select the first access proxy VIP’s external IP configured.

To change the selection of access proxy VIP, configure the proxy FQDN:

config web-proxy global
    set proxy-fqdn "abc.example.com”
end

The FQDN in the above example can be linked to any of the access proxy VIP’s external IP addresses that are needed with a proper DNS setup.

The behavior for IP selection for the APPROVAL_LINK variables is as follows:

1. Select the FQDN in the proxy FQDN configuration when the FQDN is configured.
2. If the FQDN is not configured:

• Select the first public IP in the access proxy VIP’s external IP configuration.
• If all access proxy VIP’s external IP is configured with a private IP, select the first default access proxy VIP’s external IP.

Public IP and private IP definitions follow the standard RFC 1918 and 1166.