Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Muhammad_Reza
New Contributor

ZTNA Virtual Host not working

Dear All

I'm using FortiOS 7.4, Forticloud EMS 7.2, and Forticlient 7.2.2
I have problem to access internal http/s service/server's that are mapping in ZTNA server Fortigate and listed in ZTNA destination EMS.

I follow this guide ; https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/708477/mapping-ztna-virtual-...

I try to access internal domain name from internet with URL https://hris.br.bayangroup.net and https://ems.br.bayangroup.net, and the error from Forticlient endpoint are :
Error Code: 022
Error Message: The page you requested has been blocked because the real server in the API gateway cannot be found.
Certificate Information: No end-point info found. Client certificate is provided.

This is my relevant FortiOS config :

config firewall vip 

edit "ZTNA-ISP1"
set type access-proxy
set server-type https
set extip xx.xx.xx.xx
set extintf "port1"
set extport 443
set ssl-certificate "Wildcard_certificate_EXP_2023"
next

 

config firewall access-proxy-virtual-host
edit "auto-ZTNA-ISP1-0"
set ssl-certificate "Wildcard_certificate_EXP_2023"
set host "hris.br.bayangroup.net"
next
edit "auto-ZTNA-ISP1-1"
set ssl-certificate "Wildcard_certificate_EXP_2023"
set host "ems.br.bayangroup.net"
next
end


config firewall access-proxy
edit "ZTNA-ISP1"
set vip "ZTNA-ISP1"
set add-vhost-domain-to-dnsdb enable
config api-gateway
edit 1
set service http
set virtual-host "auto-ZTNA-ISP1-0"
config realservers
edit 1
set ip 10.1.100.38
set port 80
next
end
next
edit 2
set virtual-host "auto-ZTNA-ISP1-1"
config realservers
edit 1
set ip 10.1.1.57
next
end


config firewall proxy-policy
edit 1
set name "ZTNA01-Pol"
set proxy access-proxy
set access-proxy "ZTNA-ISP1"
set srcintf "upg-zone-port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
next

How to access my internal protected resources by FQDN ?

Please kindly help 

1 REPLY 1
Forticlient_Guru
New Contributor

cant tell exactly without the logs but error indicate some issue between your fortigate and ems as there is no endpoint record found. Did you try to recreate security fabric or verify your EMS cert again ?  You should see endpoint record in your FGT when lunch di endpoint record list via cli..

maybe you can open ticket with TAC to speedup troubleshooting ? Do you know that you can call in support number to get  immediate assistance on such issues? 

 

Pavol

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors