Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Off-fabric client's ZTNA TAGs not synced to FortiGate

Hello ZTNA admins

FortiClient EMS 7.4.0 and FortiOS 7.2.9.

When any client is inside (on-fabric) its ZTNA TAGs are visible on FortiClient, FortiClient EMS and on FGT as well.

When I connect any client from the WAN (off-fabric) the TAGs are seen on the FortiClient and FortiClient EMS, but are never synced to FortiGate, until the client is back on-fabric again.

Any idea?

AEK
AEK
5 REPLIES 5
Anil_Solakoglu

Hello, 

 

I would suggest revising the following information. 

 

FortiOS only receives endpoint information and enforces compliance for directly connected endpoints. Directly connected endpoints have FortiGate as the default gateway.

 

https://docs.fortinet.com/document/forticlient/7.2.4/ems-administration-guide/584914/fortios-dynamic...

 

https://docs.fortinet.com/document/forticlient/7.2.4/ems-administration-guide/424036/configuring-for...

ozkanaltas
Valued Contributor III

Hello @AEK ,

 

Based on my past experiences, if the client doesn't interact with FortiGate, FortiGate doesn't fetch tag information from EMS for that user.

 

I think they took such a precaution as not to create a burden by collecting information from all users.

 

If you want the tags to be visible all the time, you can do the following as a workaround solution: create a ztna service for Fortianalyzer. And configure this service that you created to send all the clients' logs to the analyzer. In this way, both your logs will be collected in Fortianalyzer and the tags will be constantly updated.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
AEK
SuperUser
SuperUser

Thanks Anil & Ozkan

I was pretty sure that I've already seen this limitation about directly connected clients. However in my last ZTNA fast track FFT-ZTNA-r03-1719510429 I thought that this was changed and user "Carol" (in the fast track scenario) could use ZTNA destination without being on the same subnet. But maybe I was wrong. Anyway Thanks for your responses.

AEK
AEK
Bjay_Prakash_Ghising

FortiClient EMS uses zero-trust tagging rules to tag endpoints based on the information that it has on each endpoint. 

 

After the FortiGate connects to the FortiClient EMS, it automatically synchronizes ZTNA tags. FortiGate maintains a continuous connection to FortiClient EMS to synchronize endpoint device information such as FortiClient UID, client certificate SN, FortiClient EMS SN, network details (IP and MAC address), and so on.

 

When device information changes, such as when a client moves from on-fabric to off-fabric, or their security posture changes, FortiClient EMS updates the device information, and then updates the FortiGate.

 

Based on the above information. EMS automatically synchronizes the ZTNA tags regardless of off-fabric or on-fabric.

 

You can now check the connectivity between your FortiGate and EMS Server.

Ghising
Ghising
AEK
SuperUser
SuperUser

Got some help from TAC support.

I missed to set "FortiClient Endpoint Sharing" to "Share all FortiClients" in EMS Fabric devices configuration.

By enabling it the issue is now fixed.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors