EMS 7.2.1
FortiOS 7.2.5 (60F, 101E, 1500D)
FortiClient 7.2.1
I have 3 access proxies. One on a 1500D and 2 on a 101E in vdom mode with VDOM1 and VDOM2.
The forticlient picks up all of the ZTNA destinations and I can access the 1500D-RDP session all of the time. I can only ever access 1 of the 101E VDOM sessions. If I disconnect and reconnect the forticlient, the first RDP session I use will work and the second one will give me the attached error. If I disconnect the forticlient again and connect first to the previously errored session it will work and the original working session will no longer work.
Any pointers on what I might have configured wrong?
Again the 1500D session always works.
This is the error from the ZTNA access log.
Denied failed to match a proxy-policy
What policy is it failing to match when I can disconnect and reconnect the forticlient and the proxy-policy will work if that is the first session I use on the 101E.
Is this supposed to work? I tried vdom partitioning and put VDOM1 F101E-1 and VDOM2 two on F101E-2
Now I cannot connect to either access proxy. One of them gives the original policy not matched. The other now complains about no client id. If disconnect the EMS and reconnect I can get only one vdom to work at a time.
Are we allowed to have an access proxy per vdom or am I supposed to only use 1 vdom and do inter-vdom routing to get to the other vdoms?
I opened a TAC case. From the debugs, it looks like it may be a bug in the 7.2.5 FortiOS.
Hi aguerriero,
Thank you for raising a case with TAC. I am sharing here so others can benefit from your post.
Development confirmed this is a known issue registered under ID 849073 where ZTNA Tags shared across vdoms will not work. This issue affects ZTNA Access Proxy and NAC Control (ZTNA for IP/MAC for forward firewall policies).
The workaround is to have ZTNA Access Proxy Servers in a single vdom.
For IP/MAC, the ZTNA Tag information will be shared only to the vdom where endpoint is connected to. If need to share across multiple FortiGate units, the vdom name must match in all firewalls.
Thank you,
Carlos.
For more clarity, please review the article below and track Known Issue ID 849073 in future FortiOS release notes.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Behavior-of-ZTNA-Tags-shared-across-multip...
Thank you,
Carlos.
I am hoping the fix will be that all ZTNA tags are shared across all firewalls and vdoms that have fabric connections to the same EMS server.
Also the workaround for only connecting to one access proxy requires backside routing. Each of the firewalls/vdoms needs to know the route to the ZTNA proxy external address symmetrically.
This required me to enable NAT on the firewall policy towards the firewall hosting the ztna servers. This is due to some vdoms and firewalls are on the same external subnet for edge routing. The only problem is that the WebUI doesn't allow for NAT in the ZTNA policy configuration dialogue. I had to manually set NAT in the policy view. If you go into the polic configuration dialogue the option for NAT is not there. If you make a change NAT will no longer be enabled.
Nat is set
Modify policy (missing enable nat toggle )and save
Saved policy no longer has NAT enabled.
Re-enable NAT and apply.
Hi Allan,
You are correct. The fix is to allow for ZTNA tags to be synchronized across all vdoms and firewalls.
Regarding the NAT being disabled after policy changes, I have already reported that to Development as well.
A proxy policy can be used with option poolname from CLI rather than NAT in a firewall policy. The poolname option in a proxy-policy will not be lost after making changes from GUI.
Please refer to below document.
Thanks,
Carlos.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.