Hello, I need an urgent support
I am doing ztna configuration and fortiems on prem,
For off-net and on-net users, I created a record as fortiems.xxx.com for users in both local dns and global dns,
I created fortiems.xxx.com for off-net users, the dns record is in the same subnet as the wan ip but it is not a direct wan ip, I need to announce this ip behind the wan interface to get telemetry data, but I do not know how to do this, I entered the wan interface as the second ip, but it did not seem like a correct configuration, I cannot see it in the arp table.
Can you help me for this
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @inventohakkı ,
Can you try to enable the arp replay setting on the VIP configuration?
config firewall vip
edit <name>
set arp-reply enable
next
end
thank you for your answers, I will have one more question, now all my configuration is correct, but the certificate I used when creating the ztna server is fortigate ssl certificate, not ztna certificate.
net::ERR_CERT_AUTHORITY_INVALID when I try from browser
I am getting this error, the reason why I cannot use the ztna certificate is that it does not appear in the default certificates, what should I use in default certificates, I have also seen ztna being used and ssl being used, which is correct
Created on 08-22-2024 05:37 AM Edited on 08-22-2024 05:38 AM
Hello @inventohakkı ,
Actually, I can't understand exactly. If you talk about an EMS server certificate, you need to install the valid certificate to EMS. Also, this certificate should be compatible with your EMS fqdn.
After uploading the certificate, EMS will not give an error about certificate when you enter the EMS management webpage
Created on 08-21-2024 10:34 AM Edited on 08-22-2024 02:09 AM
I have attached the whole process. Now, you need to publicly resolvable FQDN.
https://docs.google.com/document/d/1mwKSIKjkAAxDOok0zpqnWO9Xn4ckxsPfZA8DClpP-lA/edit?usp=sharing
Hello.
arp-reply is enabled but now its own client is off-net and Not reachable
I also did something like this as a result of my research, but is this configuration correct?
I created a vip and also created an ip pool so that the ip pool is one to one and I used both vip and ip pool in the same rule.
ip pool configuration
interface wan1 external ip fortiems public ipsi I used local ems ipsi for mapped so that arp-reply is enabled
Hello @inventohakkı ,
No need to ip-pool. You just use the VIP object on your rule.
After removing the ip-pool on your rule can you run these commands and share the output with us?
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter saddr <YOUR_CLIENT_PUBLIC_IP>
diagnose debug flow filter daddr <FORTIGATE_PUBLIC_IP>
diagnose debug flow trace start 100
diagnose debug enable
And also, as @Bjay_Prakash_Ghising said, you need to configure your fqdn on FortiClient EMS
Let us know if you have any doubt?
Follow the documented process below.
https://docs.google.com/document/d/1mwKSIKjkAAxDOok0zpqnWO9Xn4ckxsPfZA8DClpP-lA/edit?usp=sharing
Hope that helps,
Kind regards,
Bijay Prakash Ghising
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.