Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

ZTNA Tags IP/MAC are empty

Hello everyone,


I'm really suggering with ZTNA :( :) 


I tried to get IP/MAC informations inside my ZTNA tags on FortiGate. I configured corretly EMS / Forticlient and Fortigate. My tags are sync successfully but the are emtpy 


On my fortiGate, my device is correctly registred : 


My tag is correctly added : 


But when I looked inside it on my FortiGate, the tag is definitevly empty : 


I don't know what I can do to correctly sync device information with my fortigate. I'm sure it's simple but I can't find how.


I really need your help ! 







I'm sure I mistaken somewhere.... But what is the correct way to sync/send IP and MAC address in tags to my FortiGate.


By default the EMS doesn't send ZTNA tags for devices that are off-net. You have two options here.

1. If the device is on the network then you can create on-net rules to trigger the device to be on-net status which will update the ZTNA tags.

2. You can configure EMS to send IPs for devices that are off-net. Edit the FGT in EMS (Administration > Fabric Devices) and uncheck "Filter tag IPs from specific FortiGates". The EMS will now send off-net IP addresses to the FGT. This is generally not recommended as you may get alot of off-net IP addresses for devices that are not on the network.




I can't see option "Filter tag IPs from specific FortiGates" but here is what I share from EMS : 



It's really strange because all seems to work fine but my tags stay empty on my fortigate... 


Do you have another suggestion ? Thanks



I tried to configure an "on-net" rule but same behaviour... My tags stay empty and it drives me crazy :-)....


Maybe one important information. The FortiGate where tags are sync is not my primary default gateway. It's maybe why IP/Mac are not sync correctly. 


What I tried to do is to sync ZNAT Tags from remote client (trough VPN) : 

Remote Client -> VPN -> FortiGate (VPN, ZNAT Tags) -> Netowork (EMS, Server1, Server2, ...)


1) Is it possible to "sync" remote client IP in ZNAT trought VPN ? 

2) Is it possible to use Firewall policies based on ZNAT Tags and IP ? 


It's strange because when my device is connected trough VPN, I can see some informations in my FortiGate but not all, and my device is seen as offline...


IP Address =
MAC Address = 00:00:00:00:00:00
MAC list =
VDOM = root (0)
EMS serial number:
Client cert SN:
Public IP address:
Quarantined: no
Online status: offline
Registration status: not registered
On-net status: off-net






After some search and as I can see, the forticlient muts be connected (as default gw) to the fortigate. So it's mybe why tags are not correct. But, why when I'm connected trough my VPN my tags are not updated ?


So after a lot of search, the "sync" problem appears only when my devices are connected trought VPN. 

So how can I sync tags and devices when they are connected trough VPN tunnel ? 


What type of VPN are you using to connect the clients? I've just tested connecting through an SSLVPN and can confirm that the tags get populated on the EMS/FGT.


Below you can see the 'linux' ZTNA tag being populated with the IP address of which is the IP address of the client when it connects via SSLVPN:

Linux ZTNA tag on FGT populated with the SSLVPN IP addressLinux ZTNA tag on FGT populated with the SSLVPN IP addressFortiClient with Linux ZTNA tag and SSLVPN IP addressFortiClient with Linux ZTNA tag and SSLVPN IP address


FYI in my setup I'm using the following versions:


FGT: 7.0.5

EMS: 7.0.3

FCT: 7.0.3

New Contributor III

Hi there.

I'm having a similar situation.

EMS 7.0.7

FCT 7.0.7

FGT 6.4.8

FMG 7.0.4


I have the EMS address objects both on the FMG and on the FGT, but they do not get populated at all. The FCTs needing to populate them are connecting via SSLVPN.


Any help on this?


Top Kudoed Authors