Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Created on ‎10-10-2024 06:28 AM

What's the difference between this two ZTNA users?

Hello everybody,

Some time ago I created a ZTNA environment on my Forticlient EMS, assigning some tags to some users.

For example, look at these two users (this first one uses a macOS device, the second one a Windows device):

the first one was Off-Fabric too when the attempts occured.

Screenshot 2024-10-10 alle 09.19.26.png

 

Screenshot 2024-10-10 alle 15.21.03.png

As you can see, both users have the same tags.

The ZTNA Firewall policy is unique:

 
 

Screenshot 2024-10-10 alle 15.24.42.png

So,  both user should access or not the ZTNA.

The strange fact is that the Windows user can access the ZTNA:

 

date=2024-10-10 time=13:23:01 id=7424106010597392384 itime="2024-10-10 13:23:01" euid=1040 epid=1070 dsteuid=3 dstepid=1051 logflag=1 logver=702101706 type="traffic" subtype="ztna" level="notice" action="accept" policyid=15 sessionid=11466583 srcip=….. dstip=10.1.0.207 srcport=7854 dstport=3389 duration=13850 proto=6 sentbyte=1112395 rcvdbyte=6568260 logid=0005000024 service="RDP" app="RDP" appcat="unscanned" fctuid="6C40ACFAC7B043A4851701EB5FDD3B3D" srcintfrole="wan" dstintfrole="lan" policytype="proxy-policy" eventtime=1728559380018282594 wanin=6568260 wanout=783813 lanin=1112395 lanout=6912787 poluuid="7f1a8a84-dfd7-51ee-4200-2edb944b93d3" srccountry="Italy" dstcountry="Reserved" srcintf="wan1" dstintf="internal" policyname="ZTNA to RDP" tz="+0200" vip="ZTNA RDP" accessproxy="ZTNA RDP" gatewayid=1 clientdeviceid="6C40ACFAC7B043A4851701EB5FDD3B3D" clientdevicetags="MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients/MAC_EMS1_ZTNA_Kira TAG/EMS1_ZTNA_Kira TAG" proxyapptype="http" clientdevicemanageable="manageable" emsconnection="online" devid="FGT60FTK23099PH2" vd="root" dtime="2024-10-10 13:23:01" itime_t=1728559381 devname="ntd-fg"

 

The second one can't access due to an error (msg="Traffic denied because of failed to match a proxy-policy"):

 

date=2024-10-09 time=16:14:43 id=7423779172176101376 itime="2024-10-09 16:14:43" euid=3 epid=101 dsteuid=3 dstepid=1053 logflag=3 logver=702101706 type="traffic" subtype="ztna" level="notice" action="deny" policyid=15 sessionid=10994158 srcip=… dstip=10.1.0.214 srcport=52177 dstport=3389 duration=19603 proto=6 sentbyte=10454368 rcvdbyte=31622617 logid=0005000024 service="RDP" app="RDP" appcat="unscanned" srcintfrole="wan" dstintfrole="lan" policytype="proxy-policy" eventtime=1728483282890140384 wanin=31622617 wanout=7184424 lanin=10454368 lanout=32300828 crscore=30 craction=131072 crlevel="high" poluuid="7f1a8a84-dfd7-51ee-4200-2edb944b93d3" srccountry="Italy" dstcountry="Reserved" srcintf="wan1" dstintf="internal" policyname="ZTNA to RDP" msg="Traffic denied because of failed to match a proxy-policy" threatwgts=30 threatcnts=1 threatlvls=3 threats=blocked-connection threattyps=blocked-connection tz="+0200" vip="ZTNA RDP" accessproxy="ZTNA RDP" gatewayid=1 proxyapptype="http" clientdevicemanageable="manageable" devid="FGT60FTK23099PH2" vd="root" dtime="2024-10-09 16:14:43" itime_t=1728483283 devname="ntd-fg"

 

How is that possible?

Thank you for the support!

 

RDP
RDP
532
0 Kudos
1 Solution
raffaeledp
Contributor
In response to AEK

Created on ‎10-12-2024 04:08 AM

I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS. 

RDP

View solution in original post

RDP
407
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎10-10-2024 06:48 AM

Hi Raffael

I see destination IP is not the same.

Can you try connect to the same IP?

AEK
AEK
521
0 Kudos
raffaeledp
Contributor
In response to AEK

Created on ‎10-10-2024 06:52 AM

Hello, thanks for your replay.

Yes, destination IP is not the same, but both destination are behind the same ZTNA server:

Screenshot 2024-10-10 alle 15.50.27.png

Screenshot 2024-10-10 alle 15.50.52.png

Screenshot 2024-10-10 alle 15.51.00.png

  

RDP
RDP
518
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-12-2024 03:21 AM

Hi Raffael

Can try the following:

  • Go to EMS menu: Administration > Fabric devices, edit the FortiGate device, "FortiClient Endpoint Sharing" and enable "Share all FortiClients"
  • On your FortiGate, disable the ZTNA firewall rule and create a ZTNA proxy rule instead

Also, which FortiOS and FortiClient versions are you using?

AEK
AEK
413
0 Kudos
raffaeledp
Contributor
In response to AEK

Created on ‎10-12-2024 04:08 AM

I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS. 

RDP
RDP
408
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.