Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎12-03-2025 11:04 AM Edited on ‎12-03-2025 11:05 AM

Auto-imported ZTNA gateway IP

Hi EMS admins

FortiEMS 7.4.4, FortiOS 7.4.8.

Knowing that, starting from FortiOS 7.4.x, ZTNA gateway info and 2TNA apps are imported by EMS from FGT automatically.

The issue comes when my FGT is behind NAT, so my FGT WAN interface has a private IP.

So when I configure ZTNA server on my FGT it must have the private IP of the interface, like shown below.

 

ztna_priv.png

 

The when imported automatically bu EMS, the gateway IP is the same, and it is pushed to clients as is.

So when off-fabric client's want to access a ZTNA app they us this private IP, which is not possible because they are off-fabric.

(In scenarios where the public IP is on the WAN interface all works fine).

To resolve my issue I had to manually recreate the ZTNA gateway and all ZTNA apps on EMS, which is lot of work to do just because of this IP address, because imported gateway and apps are not editable on EMS.

Do you know any simpler way to resolve it? Like is there a way to keep the auto imported info and just replace the gateway IP by the public one?

AEK
AEK
Labels:
84
0 Kudos
4 REPLIES 4
Stephen_G
Moderator
Moderator

Created on ‎12-07-2025 06:34 AM

Hi AEK,

 

Thanks for your post - we'll look to get you an answer as soon as we can.

 

If anyone reading this has any ideas, feel free to contribute!

Stephen - Fortinet Community Team
44
AEK
SuperUser
SuperUser
In response to Stephen_G

Created on ‎12-07-2025 06:45 AM

Hi Stephen

Thanks for your support!

AEK
AEK
39
funkylicious
SuperUser
SuperUser

Created on ‎12-07-2025 06:44 AM

Hi AEK,

an idea would be to create 2 different ZTNA servers on the FGT ( with private and public IP as external ) and in EMS assign each one to a specific ZTNA profile ( having one for each situation, on- and off- ) depending if the client would be on-fabric or off-fabric.

"jack of all trades, master of none"
"jack of all trades, master of none"
39
AEK
SuperUser
SuperUser
In response to funkylicious

Created on ‎12-07-2025 06:59 AM

Hi funkylicious

Yes I think this workaround should work. However at that point if I have choice I'd still prefer the manual method.

AEK
AEK
28
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.