Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lamkayiu
New Contributor

Fortigate ZTNA Tag added in policy, SSLVPN cannot access local LAN

Dear All

 

I just purchased EMS last week and setup finished, everything seems fine at EMS server. I want to use EMS ZTNA to control SSLVPN user who only match zero trust tag can access lan server. When I added the tag make my SSLVPN cannot access my Local LAN, removed it everything is fine. Any step I am missing or incorrect setup ?

 

Resolved Address can see my vpn ip

lamkayiu_7-1649323771907.png

View matched endpoint can see my laptop, but it still show 0  when I move the mouse on it.

lamkayiu_0-1649324819461.png

lamkayiu_1-1649324901354.png

 

 

 

 

Firewall policy added tag - cannot access lan server

lamkayiu_6-1649323657937.png

Removed tag everything fine

lamkayiu_9-1649324058923.png

Connection is ok

lamkayiu_0-1649324525584.png

 

 

 I can view all zero trust tag at EMS portal

lamkayiu_0-1649323033935.png

lamkayiu_3-1649323236572.png

 

Creat new tag "Test" and fortigate also can show up

lamkayiu_1-1649323092799.png

 

 

 

 

1 Solution
Debbie_FTNT

To see the tags on the client itself, you have to enable this in the EMS profile for the endpoint under Advanced > System Settings:

Debbie_FTNT_0-1649751735492.png

But that only makes the tags visible on the endpoint, so you can verify there that it has the tags.

The policy being applied or not is still up to the FortiGate.
If you have all that configuration in place but the issue persists, I would suggest opening a ticket with Technical Support to get some more in-depth assistance, beyond what I can offer in the Forums here.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

13 REPLIES 13
Debbie_FTNT
Staff
Staff

Hey lamkayiu,

 

you can use EMS tags on VPN policies.

However, you need to make sure the following is in place:
-> the EMS tag is associated with the tunnel IP, not only the local LAN IP of the client

-> If you have no split-tunneling, the FortiClient must be able to reach EMS through VPN tunnel

 

I have a functioning setup with the following:

- one policy from VPN to DNS and no tag (client needs to be able to resolve EMS FQDN before reaching EMS)
- one policy from VPN to EMS and no tag (client needs to connect to EMS first through VPN tunnel before getting updated tags)

- one default policy from VPN to local LAN and tags set

If FortiGate does not associate the tunnel IP with the tags (and it can only do that when EMS associates the tags with tunnel IP as well), then no access is possible.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
lamkayiu

Hi Debbie

I had tried both full access and split, same result.

Any capscren for below setup ? I am very new in fortigate.

- one policy from VPN to DNS and no tag (client needs to be able to resolve EMS FQDN before reaching EMS)

VPN to DNS , what is the outgoing interface ?
- one policy from VPN to EMS and no tag (client needs to connect to EMS first through VPN tunnel before getting updated tags)

Same as above, what is the outgoing interface ?

lamkayiu

Hi Debbie

 

Thanks for your detail guide, I just follow it and still cannot reach my local lan with tag.

lamkayiu_0-1649730611749.png

 Following your guide to create policy and there are traffic

lamkayiu_1-1649730767187.png

EMS web portal can see the tag, I am using test which = windows 10 for testing

lamkayiu_2-1649730876972.png

but cannot see any tag in my vpn client, is it the root cause ?

lamkayiu_3-1649730927857.png

 

 

Debbie_FTNT

To see the tags on the client itself, you have to enable this in the EMS profile for the endpoint under Advanced > System Settings:

Debbie_FTNT_0-1649751735492.png

But that only makes the tags visible on the endpoint, so you can verify there that it has the tags.

The policy being applied or not is still up to the FortiGate.
If you have all that configuration in place but the issue persists, I would suggest opening a ticket with Technical Support to get some more in-depth assistance, beyond what I can offer in the Forums here.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
lamkayiu

Hi Debbie

 

Just found out the root casue, due to firewall ver 7.0.5 had a bug. Need to wait 7.0.6 release.

lamkayiu_1-1650347611032.png

 

lamkayiu_0-1650347559548.png

 

 

abc
New Contributor

Are you sure this works. We are trying to do the same thing and having the exact same issue.

I can see the tag has applied fine to the client using the tunnel IP but no traffic is being allowed.

There are polices above this that allow EMS traffic along with dns etc.

I have even tried a generic tag that matches all machines. The machine in question shows up in the list but still can't access resources.

lamkayiu
New Contributor

Hi

 

We are still keep trying but still not fix this issue, how about you ?

Debbie_FTNT

Some screenshots from my lab:
policies (the third one with VPN tag):

Debbie_FTNT_0-1649674639268.png

win-server-2016 (10.0.0.200) is hosting the EMS

win-server-2019 (10.0.0.254) is a DNS server (to resolve EMS hostname to EMS IP)

Endpoint and Tag:

Debbie_FTNT_3-1649676555660.png

 

Debbie_FTNT_2-1649676538661.png

Debbie_FTNT_5-1649676761377.png

traffic through policy 11 (ping from vpn client to 10.0.0.254):

Debbie_FTNT_1-1649676514283.png

I do have to wait a minute or two for EMS to have the updated client IP after VPN is established; then my VPN client is able to access resources through a policy with tags.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
abc

Thanks Debbie, In your tag rules are you simply using the subnet of the tunnel ie 10.202.134.0/24?