Hello everybody,
Some time ago I created a ZTNA environment on my Forticlient EMS, assigning some tags to some users.
For example, look at these two users (this first one uses a macOS device, the second one a Windows device):
the first one was Off-Fabric too when the attempts occured.
As you can see, both users have the same tags.
The ZTNA Firewall policy is unique:
So, both user should access or not the ZTNA.
The strange fact is that the Windows user can access the ZTNA:
date=2024-10-10 time=13:23:01 id=7424106010597392384 itime="2024-10-10 13:23:01" euid=1040 epid=1070 dsteuid=3 dstepid=1051 logflag=1 logver=702101706 type="traffic" subtype="ztna" level="notice" action="accept" policyid=15 sessionid=11466583 srcip=….. dstip=10.1.0.207 srcport=7854 dstport=3389 duration=13850 proto=6 sentbyte=1112395 rcvdbyte=6568260 logid=0005000024 service="RDP" app="RDP" appcat="unscanned" fctuid="6C40ACFAC7B043A4851701EB5FDD3B3D" srcintfrole="wan" dstintfrole="lan" policytype="proxy-policy" eventtime=1728559380018282594 wanin=6568260 wanout=783813 lanin=1112395 lanout=6912787 poluuid="7f1a8a84-dfd7-51ee-4200-2edb944b93d3" srccountry="Italy" dstcountry="Reserved" srcintf="wan1" dstintf="internal" policyname="ZTNA to RDP" tz="+0200" vip="ZTNA RDP" accessproxy="ZTNA RDP" gatewayid=1 clientdeviceid="6C40ACFAC7B043A4851701EB5FDD3B3D" clientdevicetags="MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients/MAC_EMS1_ZTNA_Kira TAG/EMS1_ZTNA_Kira TAG" proxyapptype="http" clientdevicemanageable="manageable" emsconnection="online" devid="FGT60FTK23099PH2" vd="root" dtime="2024-10-10 13:23:01" itime_t=1728559381 devname="ntd-fg"
The second one can't access due to an error (msg="Traffic denied because of failed to match a proxy-policy"):
date=2024-10-09 time=16:14:43 id=7423779172176101376 itime="2024-10-09 16:14:43" euid=3 epid=101 dsteuid=3 dstepid=1053 logflag=3 logver=702101706 type="traffic" subtype="ztna" level="notice" action="deny" policyid=15 sessionid=10994158 srcip=… dstip=10.1.0.214 srcport=52177 dstport=3389 duration=19603 proto=6 sentbyte=10454368 rcvdbyte=31622617 logid=0005000024 service="RDP" app="RDP" appcat="unscanned" srcintfrole="wan" dstintfrole="lan" policytype="proxy-policy" eventtime=1728483282890140384 wanin=31622617 wanout=7184424 lanin=10454368 lanout=32300828 crscore=30 craction=131072 crlevel="high" poluuid="7f1a8a84-dfd7-51ee-4200-2edb944b93d3" srccountry="Italy" dstcountry="Reserved" srcintf="wan1" dstintf="internal" policyname="ZTNA to RDP" msg="Traffic denied because of failed to match a proxy-policy" threatwgts=30 threatcnts=1 threatlvls=3 threats=blocked-connection threattyps=blocked-connection tz="+0200" vip="ZTNA RDP" accessproxy="ZTNA RDP" gatewayid=1 proxyapptype="http" clientdevicemanageable="manageable" devid="FGT60FTK23099PH2" vd="root" dtime="2024-10-09 16:14:43" itime_t=1728483283 devname="ntd-fg"
How is that possible?
Thank you for the support!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS.
Hi Raffael
I see destination IP is not the same.
Can you try connect to the same IP?
Hello, thanks for your replay.
Yes, destination IP is not the same, but both destination are behind the same ZTNA server:
Hi Raffael
Can try the following:
Also, which FortiOS and FortiClient versions are you using?
I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.