Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lamkayiu
New Contributor

Fortigate ZTNA Tag added in policy, SSLVPN cannot access local LAN

Dear All

 

I just purchased EMS last week and setup finished, everything seems fine at EMS server. I want to use EMS ZTNA to control SSLVPN user who only match zero trust tag can access lan server. When I added the tag make my SSLVPN cannot access my Local LAN, removed it everything is fine. Any step I am missing or incorrect setup ?

 

Resolved Address can see my vpn ip

lamkayiu_7-1649323771907.png

View matched endpoint can see my laptop, but it still show 0  when I move the mouse on it.

lamkayiu_0-1649324819461.png

lamkayiu_1-1649324901354.png

 

 

 

 

Firewall policy added tag - cannot access lan server

lamkayiu_6-1649323657937.png

Removed tag everything fine

lamkayiu_9-1649324058923.png

Connection is ok

lamkayiu_0-1649324525584.png

 

 

 I can view all zero trust tag at EMS portal

lamkayiu_0-1649323033935.png

lamkayiu_3-1649323236572.png

 

Creat new tag "Test" and fortigate also can show up

lamkayiu_1-1649323092799.png

 

 

 

 

1 Solution
Debbie_FTNT

To see the tags on the client itself, you have to enable this in the EMS profile for the endpoint under Advanced > System Settings:

Debbie_FTNT_0-1649751735492.png

But that only makes the tags visible on the endpoint, so you can verify there that it has the tags.

The policy being applied or not is still up to the FortiGate.
If you have all that configuration in place but the issue persists, I would suggest opening a ticket with Technical Support to get some more in-depth assistance, beyond what I can offer in the Forums here.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

14 REPLIES 14
abc
New Contributor

Strange one on my end. I disabled all the firewall polices that had ZTNA tags, reenabled them and they are working!!

Debbie_FTNT

Hey abc,

 

Yes I am - this is an offshoot of a lab I set up for ZTNA, and I just needed very simple tags I could match or not, so the tags I have set are just based off IP range.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Ronny

We also have the problem in a production environment. The tags for SSL VPN and IPSEC VPN are simply not synchronized. A side effect is that the Fortigate is also regularly out of sync.

KK_PRL


@Debbie_FTNT wrote:

...

I do have to wait a minute or two for EMS to have the updated client IP after VPN is established; then my VPN client is able to access resources through a policy with tags.


Hello,

I have made same setup and it works, but the waiting till 2minutes, when tag will assigned is annoying. Is it possible to shorted waiting time? We use Forticlient and EMS 7.2.3

martin28
New Contributor

Hello,

It is a known bug that forticlient cannot get VPN IP address correctly, we will have to wait for another release to fix this bug.

Labels
Top Kudoed Authors