- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bug found with new Forticlient Update! 7.2.5
Hello everybody,
regarding ZTNA, we found a bug after yesterday Forticlient EMS 7.2.5 upgrade.
This is happening only on macOS devices.
We have a ZTNA destination profile:
On Windows device, rule are correctly retrivied. But, on macOS, I can see no destination (I have all the tags I need):
Debbuging this problem, I was looking at the Forticlient ztna.logs, and I found (I removed some rules for simplification):
2024-10-11T16:24:28.238 TZ=+0200 info ztna mergeCfg:{"enabled":1,"rules":[{"name":"EMS","mode":"transparent","enabled":0,"destination":"10.1.0.217:3389","gateway":"ztna.ntditalia.com:13389","encryption":1,"local_port":"7788","type":"private"},{"name":"VMAgostini","mode":"transparent","enabled":0,"destination":"10.1.0.215:3389","gateway":"ztna.ntditalia.com:13389","encryption":1,"local_port":"7788","type":"private"}],"portals":null,"gateways":null,"notify_on_error":1,"portals_enabled":1,"gateways_enabled":1}
2024-10-11T16:24:57.148 TZ=+0200 info ztna sync portal select portal err:errPortalNotExisted
If we look at this logs, the rules are found, but are not enable (enable is 0).
In fact, if I look at the ztnaconfig.json:
{"enabled":1,"rules":[]}
if I manually add my desinations inside the rules array, I can reach them correctly. So, the problem is that forticlient can't receive correctly the rules (am I wrong?). The only error I can see is info ztna sync portal select portal err:errPortalNotExisted.
What does it mean? I can't find anything regarding this error. This only happens for macOS system.
Thank you!
 
Solved! Go to Solution.
- Labels:
-
FortiClient EMS
-
ZTNA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
I hope your issue is resolved by now.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, it's not.
I investigated the problem and I think it is simply a bug.
Looking at the XML configuration of the ZTNA:
<forticlient_configuration>
<ztna>
<allow_personal_rules>1</allow_personal_rules>
<gateways uid="E26376A0-8370-4CFF-B5B6-1B6392F0D512">
<alias>ZTNA</alias>
<addr>ztna.ntditalia.com:13389</addr>
<redirect>1</redirect>
<rules uid="ED97CC71-E402-4A25-9B1C-01D7E29A8DDF">
<name>EMS</name>
<type>private</type>
<destination>10.1.0.217:3389</destination>
<encryption>1</encryption>
<enabled>1</enabled>
<mode>transparent</mode>
<local_port>7788</local_port>
</rules>
<rules uid="2D866340-9E8D-4CF3-A0C0-1200C546C56E">
<name>VMAgostini</name>
<type>private</type>
<destination>10.1.0.215:3389</destination>
<encryption>1</encryption>
<enabled>1</enabled>
<mode>transparent</mode>
<local_port>7788</local_port>
</rules>
</gateways>
<notify_on_error>1</notify_on_error>
<enabled>1</enabled>
<gateways_enabled>1</gateways_enabled>
<portals_enabled>0</portals_enabled>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<rules>
<rule uid="ED97CC71-E402-4A25-9B1C-01D7E29A8DDF">
<name>EMS</name>
<type>private</type>
<app_uid>43d246a131aed47e7c733b0fecab70c0</app_uid>
<allow_all_gateways>0</allow_all_gateways>
<mask/>
<encryption>1</encryption>
<mode>transparent</mode>
<destination>10.1.0.217:3389</destination>
<local_port>7788</local_port>
<gateway>ztna.ntditalia.com:13389</gateway>
<redirect>1</redirect>
</rule>
<rule uid="2D866340-9E8D-4CF3-A0C0-1200C546C56E">
<name>VMAgostini</name>
<type>private</type>
<app_uid>bcd3fa59a2e38084e53b76fbe619630a</app_uid>
<allow_all_gateways>0</allow_all_gateways>
<mask/>
<encryption>1</encryption>
<mode>transparent</mode>
<destination>10.1.0.215:3389</destination>
<local_port>7788</local_port>
<gateway>ztna.ntditalia.com:13389</gateway>
<redirect>1</redirect>
</rule>
<disabled_rules/>
</ztna>
<endpoint_control>
<ui>
<display_ztna>1</display_ztna>
</ui>
</endpoint_control>
</forticlient_configuration>
"enabled": 1,
"rules": [
{
"name": "EMS",
"mode": "transparent",
"enabled": 0,
"destination": "10.1.0.217:3389",
"gateway": "ztna.ntditalia.com:13389",
"encryption": 1,
"local_port": "7788",
"type": "private"
},
{
"name": "VMAgostini",
"mode": "transparent",
"enabled": 0,
"destination": "10.1.0.215:3389",
"gateway": "ztna.ntditalia.com:13389",
"encryption": 1,
"local_port": "7788",
"type": "private"
} ],
"portals": null,
"gateways": null,
"notify_on_error": 1,
"portals_enabled": 0,
"gateways_enabled": 1
}
<forticlient_configuration>
<ztna>
<allow_personal_rules>1</allow_personal_rules>
<gateways uid="E26376A0-8370-4CFF-B5B6-1B6392F0D512">
<alias>ZTNA</alias>
<addr>ztna.ntditalia.com:13389</addr>
<redirect>1</redirect>
<rules uid="ED97CC71-E402-4A25-9B1C-01D7E29A8DDF">
<name>EMS</name>
<type>private</type>
<destination>10.1.0.217:3389</destination>
<encryption>1</encryption>
<enabled>1</enabled>
<mode>transparent</mode>
<local_port>7788</local_port>
</rules>
<rules uid="2D866340-9E8D-4CF3-A0C0-1200C546C56E">
<name>VMAgostini</name>
<type>private</type>
<destination>10.1.0.215:3389</destination>
<encryption>1</encryption>
<enabled>1</enabled>
<mode>transparent</mode>
<local_port>7788</local_port>
</rules>
</gateways>
<notify_on_error>1</notify_on_error>
<enabled>0</enabled>
<gateways_enabled>1</gateways_enabled>
<portals_enabled>0</portals_enabled>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<disabled_rules/>
</ztna>
<endpoint_control>
<ui>
<display_ztna>1</display_ztna>
</ui>
</endpoint_control>
</forticlient_configuration>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you can see, the problem is the problem is that whatever the configuration, the destinations arrive with the enable parameter set to 0.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! We're having the exact same issue...but I don't quite understand your fix. Could you give me a little more info/detail on what you meant by "shift down the 'gateways' tag"? Thanks!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
don't know if you have still this problem - try ems upgrade to 7.2.9, for me it worked
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I had exactly the same problem.
EMS server was 7.2.8
- my macos clients didnt even receive ZTNA rules
- when i upgraded macos clients to 7.2.9, then they saw rules, but still has the problem with Null gateways and connection problems
My solution was to upgrade EMS server to 7.2.9 then after client update everything is fixed and macos clients are able to connect again. After the upgrade there was problem with current tokens on fortigate, but you can either wait or delete them to receive new.
I was looking at Release notes and didnt find any mentions of this problem:(
