Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Problem with sync EMS to Fortigate ZTNA Tags

FG 7.2.8, EMS 7.2.4 and Client 7.24.

The Tags are only synced when I run Enable/Disable the EMS Fabric or by running this CLI:

diagnose test application fcnacd 99

Even TAGS aren't Matched with Endpoints in the Fortigate, but in EMS and Forticlient it's being tagged.
When I run the CLI then it's being tagged to the client.


Valued Contributor II

Hello @aproost ,


This problem is annoying, I've experienced it many times. I created two workaround solutions for this.


The first is, if you are using fortianalyzer, to put it behind ztna and then have the clients send logs to fortianalyzer with this ip. Since this triggers the ztna connection, it wakes up the service and allows it to synchronize client IP addresses.


The second is to ensure that the command that resets the service runs at certain intervals within automation. This is not a method I recommend because the more it happens, the more burden it will be. So if you choose the second method, keep the frequency high.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW

Can it be related to this 7.2.4's known issue?

990863Zero trust network access (ZTNA) tags do not sync correctly between non-default EMS site and FortiGate.

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors