Dear colleagues,
I don't get ZTNA running with Forticlient on Fedora Linux. I always get the massage
"ZTNA Access Denied
The page you requested has been blocked by a ZTNA restriction.
Details: Invalid ZTNA client certificate"
I tried Firefox, Chromium and Brave as Browsers but got the same result.
I rejoined the client to EMS, I reinstalled Forticlient but no change. Is there someone with the same problem or anybody who could help?
Forticlient 7.2.2.0753
EMS Forticloud
Fortigate 7.0.12
kind regards
stephan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
At the end I could fix it by using another device. It was not working on my Lenovo T480 together with Linux even though it is working on T480 with windows. So just be informed that you may have trouble with some devices and Linux by using Forticlient which can maybe not be solved.
best
stephan
Hi Setphan ,
In Windows, FortiClient automatically installs certificates into the certificate store. The certificate information in the store, such as certificate UID and SN, should match the information on FortiClient EMS and FortiGate.
To locate certificates on endpoint consult the vendor documentation.
The error message you're seeing relates to the ZTNA client certificate. These certificates are crucial for ensuring a secure connection between the client and the server. If the certificate is expired, corrupted, or not trusted, it can lead to such issues.
Hi@sschuster,
If your FortiClient is connected to EMS, your client device should receive ZTNA client certificate.
On Fedora, you can verify if the certificate is imported into NSS shared DB with the bellow command:
certutil -d sql:$HOME/.pki/nssdb -Ln 'FortiClient ZTNA'
If you don't see any certificate there, maybe check if TPM is enabled in your BIOS (or VM config).
If you you can see the details of the ZTNA certificate, maybe just try closing ALL of your browser windows and then starting them again. Your browsers should prompt you to submit a ZTNA certificate when accessing ZTNA secured website.
If you get stuck, I'd suggest opening a TAC Support ticket.
Hi @sschuster
Can you please check, if the forticlient learned the tags from EMS that you are trying to access the service or application?
Regards,
The Tags are displayed. The connection to EMS looks good.
Thank you for your Aswers so far.
certutil -d sql:$HOME/.pki/nssdb -Ln 'FortiClient ZTNA'
shows the certificate (but it takes really long time, >10sec?) and the browsers are showing the popup to select the client cert.
Unfortunately I don't have logs about whats happening during that certificate check.
Fortigate is not logging this in the ZTNA logs, Forticlient seems to log nothing as well and the browser, started in terminal, does not show sothing as well.
The only thing I could find is
{
"request_time": "Mon Oct 9 13:40:59 2023 CEST",
"receive_time": "Mon Oct 9 13:43:35 2023 CEST",
"request_reason": "client certificate cannot be found on the system",
"cert_serial": "[removed by me]",
"ems_serial": "[removed by me]",
"ems_address": "fct-[removed by me].forticlient-emsproxy.forticloud.com"
}
in /var/log/forticlient/ztna-cert.info.
best
stephan
Hi @sschuster
Can you please give the output of the below command to the user?
diagnose endpoint record list
Is the EMS serial number and client cert matching on the Fortigate and EMS server?
Regards,
The Fedora machine is not in the list. Checking Fortigate to find out why
The Fortigate shows only 3 offline users/machines but none of the devices currently as online displayed in EMS. I activated "share all Forticlients" in the "fabric devices" setting in EMS but without any effect. The Connection between Fortigate and EMS seems to be working. If I create a new ZTNA Tag, its showed on the Fortigate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1647 | |
1071 | |
751 | |
443 | |
214 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.