We recently deployed ZTNA via FortiClient/FortiClient EMS and we can now access internal resources without connecting to SSL or IPSEC VPN which is really slick. However, we are interested in being able to access resources behind a site-to-site VPN tunnel that exists on the Fortigate. From what I can tell, this doesn't seem to be possible or has anyone found a way to get this to work?
Yes it is possible, I remember we could achieve it one day.
But can you remind me what is the problem exactly?
As far as I remember we discovered that the ZTNA traffic was forwarded by FGT using the mgmt interface's IP address, even if our mgmt interface was link down (unused).
There was no way to NAT the traffic from the proxy rule (type:ZTNA).
Tried to assign an IP address to the IPsec tunnel but FGT still always use mgmt IP.
Tried to change mgmt IP to 0.0.0.0 and forced it down then FGT used WAN IP! Can't understand how it is designed.
The only workaround we found is to set IP address of mgmt interface to a valid IP address, then on the other tunnel side we just added a route back towards that IP through the tunnel. And that's it, it worked just fine.
Hope it helps.
Created on ‎02-21-2025 04:26 AM Edited on ‎02-21-2025 04:27 AM
Hi @AEK
That's the expected behavior. If a tunnel does not have an IP address assigned, it takes the IP address of the interface with the lowest index number.
Hi Prakash
But as far as I remember I already tried to set an IP for the tunnel and it didn't work.
User | Count |
---|---|
2534 | |
1351 | |
795 | |
641 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.