I have 3 access proxies. One on a 1500D and 2 on a 101E in vdom mode with VDOM1 and VDOM2.
The forticlient picks up all of the ZTNA destinations and I can access the 1500D-RDP session all of the time. I can only ever access 1 of the 101E VDOM sessions. If I disconnect and reconnect the forticlient, the first RDP session I use will work and the second one will give me the attached error. If I disconnect the forticlient again and connect first to the previously errored session it will work and the original working session will no longer work.
Any pointers on what I might have configured wrong?
Is this supposed to work? I tried vdom partitioning and put VDOM1 F101E-1 and VDOM2 two on F101E-2
Now I cannot connect to either access proxy. One of them gives the original policy not matched. The other now complains about no client id. If disconnect the EMS and reconnect I can get only one vdom to work at a time.
Are we allowed to have an access proxy per vdom or am I supposed to only use 1 vdom and do inter-vdom routing to get to the other vdoms?
Thank you for raising a case with TAC. I am sharing here so others can benefit from your post. Development confirmed this is a known issue registered under ID 849073 where ZTNA Tags shared across vdoms will not work. This issue affects ZTNA Access Proxy and NAC Control (ZTNA for IP/MAC for forward firewall policies).
The workaround is to have ZTNA Access Proxy Servers in a single vdom. For IP/MAC, the ZTNA Tag information will be shared only to the vdom where endpoint is connected to. If need to share across multiple FortiGate units, the vdom name must match in all firewalls.
I am hoping the fix will be that all ZTNA tags are shared across all firewalls and vdoms that have fabric connections to the same EMS server.
Also the workaround for only connecting to one access proxy requires backside routing. Each of the firewalls/vdoms needs to know the route to the ZTNA proxy external address symmetrically.
This required me to enable NAT on the firewall policy towards the firewall hosting the ztna servers. This is due to some vdoms and firewalls are on the same external subnet for edge routing. The only problem is that the WebUI doesn't allow for NAT in the ZTNA policy configuration dialogue. I had to manually set NAT in the policy view. If you go into the polic configuration dialogue the option for NAT is not there. If you make a change NAT will no longer be enabled.
Nat is set
Modify policy (missing enable nat toggle )and save
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.