Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

ZTNA Multple Access Proxies and VDOM mode

EMS 7.2.1
FortiOS 7.2.5 (60F, 101E, 1500D)
FortiClient 7.2.1

I have 3 access proxies. One on a 1500D and 2 on a 101E in vdom mode with VDOM1 and VDOM2.

The forticlient picks up all of the ZTNA destinations and I can access the 1500D-RDP session all of the time. I can only ever access 1 of the 101E VDOM sessions. If I disconnect and reconnect the forticlient, the first RDP session I use will work and the second one will give me the attached error. If I disconnect the forticlient again and connect first to the previously errored session it will work and the original working session will no longer work.

Any pointers on what I might have configured wrong?

Again the 1500D session always works.

Architecture.PNGZTNA Destinations.PNGError for 101E VDOM2.PNG

7 REPLIES 7
aguerriero
Contributor II

This is the error from the ZTNA access log.

Denied  failed to match a proxy-policy

What policy is it failing to match when I can disconnect and reconnect the forticlient and the proxy-policy will work if that is the first session I use on the 101E.

ZTNA Traffic Log.PNG

aguerriero
Contributor II

Is this supposed to work? I tried vdom partitioning and put VDOM1 F101E-1 and VDOM2 two on F101E-2

Now I cannot connect to either access proxy. One of them gives the original policy not matched. The other now complains about no client id. If disconnect the EMS and reconnect I can get only one vdom to work at a time.

Are we allowed to have an access proxy per vdom or am I supposed to only use 1 vdom and do inter-vdom routing to get to the other vdoms?

Capture11.PNG

aguerriero
Contributor II

I opened a TAC case. From the debugs, it looks like it may be a bug in the 7.2.5 FortiOS.

CarlosColombini

Hi aguerriero,

 

Thank you for raising a case with TAC. I am sharing here so others can benefit from your post.
Development confirmed this is a known issue registered under ID 849073 where ZTNA Tags shared across vdoms will not work. This issue affects ZTNA Access Proxy and NAC Control (ZTNA for IP/MAC for forward firewall policies).

The workaround is to have ZTNA Access Proxy Servers in a single vdom.
For IP/MAC, the ZTNA Tag information will be shared only to the vdom where endpoint is connected to. If need to share across multiple FortiGate units, the vdom name must match in all firewalls.

 

Thank you,

Carlos.

CarlosColombini

For more clarity, please review the article below and track Known Issue ID 849073 in future FortiOS release notes.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Behavior-of-ZTNA-Tags-shared-across-multip...

Thank you,

Carlos.

aguerriero

I am hoping the fix will be that all ZTNA tags are shared across all firewalls and vdoms that have fabric connections to the same EMS server. 

Also the workaround for only connecting to one access proxy requires backside routing. Each of the firewalls/vdoms needs to know the route to the ZTNA proxy external address symmetrically. 

This required me to enable NAT on the firewall policy towards the firewall hosting the ztna servers. This is due to some vdoms and firewalls are on the same external subnet for edge routing. The only problem is that the WebUI doesn't allow for NAT in the ZTNA policy configuration dialogue. I had to manually set NAT in the policy view.  If you go into the polic configuration dialogue the option for NAT is not there. If you make a change NAT will no longer be enabled. 

 

Nat is set

Capture.PNG

 

Modify policy (missing enable nat  toggle )and save

Capture2.PNG

 Saved policy no longer has NAT enabled.

 

Capture3.PNG

Re-enable NAT and apply.

Capture4.PNG



CarlosColombini

Hi Allan,

 

You are correct. The fix is to allow for ZTNA tags to be synchronized across all vdoms and firewalls.

 

Regarding the NAT being disabled after policy changes, I have already reported that to Development as well.

A proxy policy can be used with option poolname from CLI rather than NAT in a firewall policy. The poolname option in a proxy-policy will not be lost after making changes from GUI.

 

Please refer to below document.

https://docs.fortinet.com/document/fortigate/7.4.0/new-features/230508/using-the-ip-pool-or-client-i...

 

Thanks,

Carlos.

Top Kudoed Authors