Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cain38
New Contributor

FortiClient ZTNA

We recently deployed ZTNA via FortiClient/FortiClient EMS and we can now access internal resources without connecting to SSL or IPSEC VPN which is really slick. However, we are interested in being able to access resources behind a site-to-site VPN tunnel that exists on the Fortigate. From what I can tell, this doesn't seem to be possible or has anyone found a way to get this to work?

router login 192.168.l.l
4 REPLIES 4
AEK
SuperUser
SuperUser

Yes it is possible, I remember we could achieve it one day.

But can you remind me what is the problem exactly?

AEK
AEK
AEK
SuperUser
SuperUser

As far as I remember we discovered that the ZTNA traffic was forwarded by FGT using the mgmt interface's IP address, even if our mgmt interface was link down (unused).

There was no way to NAT the traffic from the proxy rule (type:ZTNA).

Tried to assign an IP address to the IPsec tunnel but FGT still always use mgmt IP.

Tried to change mgmt IP to 0.0.0.0 and forced it down then FGT  used WAN IP! Can't understand how it is designed.

The only workaround we found is to set IP address of mgmt interface to a valid IP address, then on the other tunnel side we just added a route back towards that IP through the tunnel. And that's it, it worked just fine.

Hope it helps.

AEK
AEK
BJ_Prakash_Ghising

Hi @AEK 

 

That's the expected behavior. If a tunnel does not have an IP address assigned, it takes the IP address of the interface with the lowest index number.

index.png

 

 

AEK

Hi Prakash

But as far as I remember I already tried to set an IP for the tunnel and it didn't work.

AEK
AEK
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors