Hi,
I`m fairly new with the fortinet products, currently testing some features like EMS connected to the FortiGate via Secure Fabric and ZTNA and i`m facing problem with access to the desired https but with the TCP Forwarding in FortiGate(from what i understand i i can use HTTPS instead of TCP forwarding but this force me to create DNS for example CloudFlare )
Long story short i want to be able access internal website via ZTNA without additional DNS entries.
I found in the documentation that i`m suposed to create in EMS ZTNA Destination, telemetry should update the host file located in C:\Windows\System32\drivers\etc.
I try this step by step but the host file didn`t update and my site shows only ZTNA Access Denied. Details: API Gateway Denied
Link to the Documentation
Section:
Upon creating the ZTNA rules, two new entries are added to the Windows PC’s host file in folder C:\Windows\System32\drivers\etc. View the file, and observe the new entries for the virtual IP and FQDN pairing for each ZTNA connection rule.
# ----- FORTICLIENT ZTNA VIP START ----- 10.235.0.1 s27.qa.fortinet.com 10.235.0.2 s29.qa.fortinet.com # ----- FORTICLIENT ZTNA VIP END -----
What i`m missing?
Regards
Tom
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Tom,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Tom,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hi Tom,
Did you try this document?:
https://docs.fortinet.com/document/fortiproxy/7.0.2/release-notes/987706
Regards,
Hi Tom,
regarding the design for your case it all depends on the app type that is protected.
Some deployment examples are provided in below video links:
https://video.fortinet.com/latest/ztna-access-proxy-with-saml-and-mfa-using-fortiauthenticator
https://video.fortinet.com/latest/using-ztna-to-access-protected-tcp-applications
Regards
Howdy Tom. I'm wondering how you made out? I didn't see anything particularly helpful in the responses to your question, and I am running into the exact same problem. I follow the same guide you are using and never see the hosts file entries that are supposed to get written. Did you make any progress?
Created on 06-11-2023 11:42 PM Edited on 06-11-2023 11:43 PM
Hi bmduncan33, from Fortinet technician i have heard that in the newest version of forticlient that file is not updating enymore.
Check this link link in my case it missed configuration in firewall proxy
set add-vhost/domain-to-dnsdb enable
Regards
Tom
That link is for FortiOS 7.40. Can you tell me what version of FortiOS and FortiClient you are running? I'm on FortiOS 7.0.10 and FortiClient 7.0.6.
Hi Tom. I got this working with advice from TAC to upgrade my FortiClient version from 7.0.6 to 7.0.8. Now I see the entries written to my hosts file and I'm all set. FYI.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.