ZTNA - Off-net

inventohakkı · ‎08-21-2024

Hello, I need an urgent support

I am doing ztna configuration and fortiems on prem,

For off-net and on-net users, I created a record as fortiems.xxx.com for users in both local dns and global dns,

I created fortiems.xxx.com for off-net users, the dns record is in the same subnet as the wan ip but it is not a direct wan ip, I need to announce this ip behind the wan interface to get telemetry data, but I do not know how to do this, I entered the wan interface as the second ip, but it did not seem like a correct configuration, I cannot see it in the arp table.

Can you help me for this

ozkanaltas · ‎08-21-2024

Hello @inventohakkı ,

Can you try to enable the arp replay setting on the VIP configuration?

config firewall vip
    edit <name>
        set arp-reply enable
    next
end

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

inventohakkı · ‎08-22-2024

thank you for your answers, I will have one more question, now all my configuration is correct, but the certificate I used when creating the ztna server is fortigate ssl certificate, not ztna certificate.
net::ERR_CERT_AUTHORITY_INVALID when I try from browser
I am getting this error, the reason why I cannot use the ztna certificate is that it does not appear in the default certificates, what should I use in default certificates, I have also seen ztna being used and ssl being used, which is correct

ozkanaltas · ‎08-22-2024

Hello @inventohakkı ,

Actually, I can't understand exactly. If you talk about an EMS server certificate, you need to install the valid certificate to EMS. Also, this certificate should be compatible with your EMS fqdn.

After uploading the certificate, EMS will not give an error about certificate when you enter the EMS management webpage

https://docs.fortinet.com/document/forticlient/7.4.0/ems-administration-guide/917193/adding-an-ssl-c...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

Bjay_Prakash_Ghising · ‎08-21-2024

Hi @inventohakkı

I have attached the whole process. Now, you need to publicly resolvable FQDN.

https://docs.google.com/document/d/1mwKSIKjkAAxDOok0zpqnWO9Xn4ckxsPfZA8DClpP-lA/edit?usp=sharing

Ghising

inventohakkı · ‎08-21-2024

Hello.

arp-reply is enabled but now its own client is off-net and Not reachable

inventohakkı · ‎08-21-2024

I also did something like this as a result of my research, but is this configuration correct?

I created a vip and also created an ip pool so that the ip pool is one to one and I used both vip and ip pool in the same rule.

ip pool configuration

interface wan1 external ip fortiems public ipsi I used local ems ipsi for mapped so that arp-reply is enabled

ozkanaltas · ‎08-21-2024

Hello @inventohakkı ,

No need to ip-pool. You just use the VIP object on your rule.

After removing the ip-pool on your rule can you run these commands and share the output with us?

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter saddr   <YOUR_CLIENT_PUBLIC_IP>
diagnose debug flow filter daddr <FORTIGATE_PUBLIC_IP>
diagnose debug flow trace start 100
diagnose debug enable

And also, as @Bjay_Prakash_Ghising said, you need to configure your fqdn on FortiClient EMS

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

Bjay_Prakash_Ghising · ‎08-22-2024

Hi @inventohakkı

Let us know if you have any doubt?

Follow the documented process below.

https://docs.google.com/document/d/1mwKSIKjkAAxDOok0zpqnWO9Xn4ckxsPfZA8DClpP-lA/edit?usp=sharing

Hope that helps,

Kind regards,

Bijay Prakash Ghising

Ghising

ZTNA - Off-net

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website