Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Comasz
New Contributor

ZTNA TCP Forwarding - Windows host file didn`t update

Hi,
I`m fairly new with the fortinet products, currently testing some features like EMS connected to the FortiGate via Secure Fabric and ZTNA  and i`m facing problem with access to the desired https but with the TCP Forwarding in FortiGate(from what i understand i i can use HTTPS instead of TCP forwarding but this force me to create DNS for example CloudFlare )

Long story short i want to be able access internal website via ZTNA without additional DNS entries.
I found in the documentation that i`m suposed to create in EMS ZTNA Destination, telemetry should update the host file located in C:\Windows\System32\drivers\etc.

I try this step by step but the host file didn`t update and my site shows only ZTNA Access Denied. Details: API Gateway Denied

Link to the Documentation

Section: 

  1. Upon creating the ZTNA rules, two new entries are added to the Windows PC’s host file in folder C:\Windows\System32\drivers\etc. View the file, and observe the new entries for the virtual IP and FQDN pairing for each ZTNA connection rule.

    # ----- FORTICLIENT ZTNA VIP START -----
    10.235.0.1 s27.qa.fortinet.com
    10.235.0.2 s29.qa.fortinet.com
    # ----- FORTICLIENT ZTNA VIP END -----

 What i`m missing?
Regards
Tom

8 REPLIES 8
Anthony_E
Community Manager
Community Manager

Hello Tom,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Tom,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hi Tom,

 

Did you try this document?:

 

https://docs.fortinet.com/document/fortiproxy/7.0.2/release-notes/987706

 

Regards,

Anthony-Fortinet Community Team.
Sx11
Staff
Staff

Hi Tom,

 

regarding the design for your case it all depends on the app type that is protected.

 

  • ZTNA HTTP access proxy allows secure remote access to web-based applications

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/325639/ztna-https-access-pro...

 

  • ZTNA TCP forwarding access proxy is used for other applications, such as SSH, Remote Desktop Protocol (RDP), and others, whether hosted in the physical datacenter or cloud.

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/101256/ztna-tcp-forwarding-a...

 

 

 

Some deployment examples are provided in below video links:

https://video.fortinet.com/latest/ztna-access-proxy-with-saml-and-mfa-using-fortiauthenticator

https://video.fortinet.com/latest/using-ztna-to-access-protected-tcp-applications

 

Regards

 

sx11
bmduncan33
New Contributor II

Howdy Tom.  I'm wondering how you made out?  I didn't see anything particularly helpful in the responses to your question, and I am running into the exact same problem.  I follow the same guide you are using and never see the hosts file entries that are supposed to get written.  Did you make any progress?

Comasz

Hi bmduncan33, from Fortinet technician i have heard that in the newest version of forticlient that file is not updating enymore. 
Check this link link in my case it missed configuration in firewall proxy

set add-vhost/domain-to-dnsdb enable

 Regards
Tom

bmduncan33
New Contributor II

That link is for FortiOS 7.40.  Can you tell me what version of FortiOS and FortiClient you are running?  I'm on FortiOS 7.0.10 and FortiClient 7.0.6.  

bmduncan33
New Contributor II

Hi Tom.  I got this working with advice from TAC to upgrade my FortiClient version from 7.0.6 to 7.0.8.  Now I see the entries written to my hosts file and I'm all set.  FYI.

Labels
Top Kudoed Authors