Hi everyone,
We've recently started migrating a few services behind a proxy address using FortiEMS tags. Most of these services are simply websites (HTTPS), and about 95% of the resources work as expected. Since we are also using FortiManager for global firewall management, I had the idea to implement a similar setup.
On the EMS, I've created a few tags (such as Admin workstation, specific IP range/address, etc.). On the FortiGate, we set up a ZTNA server (HTTPS) with the FortiManager IP as the real server and created the corresponding ZTNA policy with tag filtering.
So far, so good. Accessing the FortiManager works as expected—the login page displays correctly, and logging in with local or SAML credentials works seamlessly. However, once I enter any ADOM, while I can see the number of managed FortiGates, nothing is displayed. No FortiGates show up in the managed view, and there's no access to logs (separate FAZ).
Interestingly, I can see our managed FAZ within the ADOM as a device. Am I missing something? Does this solution even work as intended? If anyone has any ideas or input, it would be greatly appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Patrick,
Ideally it ADOM also accessible if you can access the fortimanager.
Does the FMG accessible and ADOM working if you access without ZTNA proxy ?
Have you tried to different client machine and to looks like an application level issue?
In EMS as destination-defined as URL or IP
Thanks
Madhav Solanki
Yep - If we try to access that FMG through its public vip or directly using it's private ip everything works like expected. Tried on MAC and Windows - same behavior as soon we try to secure that access on a ZTNA server. So my unterstand is that it must be an issue with FortiManager and ZTNA Proxy ... though it does't make sense that just some modules and feature do not work.
What I've tried as well was to offload that traffic to http (means that we enabled http access on that FMG interface) ... funny fact - it does work (I see all devices, logs etc.)
EMS destination was defined as IP and URL - same thing as long I keep using HTTPS as Type.
We have done something similar recently, however are using Azure Application Proxy in front of the FMG (7.4.5). We experience the same thing - entering an ADOM shows no devices.
If instead we go throught a direct IP link to FMG and log into the ADOM, all devices appear in the ADOM.
Same thing is happening in FAZ 7.4.5
Funny thing ... at least for me -> I upgraded our FortiGate to FortiOS 7.4.5 and made no changes to the config itself. After upgrading I've noticed that suddenly it does work :)
btw our FortiManager/Analyzer is currently at 7.4.5.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.