Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

ZTNA desintations by FQDN not working anymore

Hi ZTNA admins

 

We were accessing ZTNA destinations with FQDNs from our Windows Clients, but since few days we are not able anymore, without any apparent reason or change.
For now the ZTNA destinations can still be accessed by IP addresses.
Following some tests I found that FortiGate and EMS can resolve the related FQDNs properly (back-end servers).
However when trying to resolve the related FQDNs from client side I noticed that they dont resolve to the right IP addresses, but to strange addresses like 10.235.0.2, 10.235.0.3 and so, which are not part of our network!

 

Anyone had the same issue?
Anyone knows what is this range (10.235.0.x)? Is it internal to FCT as part of the proxy system?

AEK
AEK
3 REPLIES 3
ozkanaltas
Valued Contributor III

Hi @AEK ,

 

Yes, you are right. "10.235.0.x" address range is used for ztna proxy by FortiClient. If you check your client "hosts" file, you can see the record for your fqdn with this IP range. 

 

I think the FortiClient proxy service is not working properly. Can you try to disable and enable the ZTNA feature from the EMS console? This will trigger ztna services on the client machine.

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
AEK

Thanks Ozkan for the information.

Sure I'll try it and advise.

AEK
AEK
AEK

Helped by TAC support and the issue was fixed just by using proxy rule instead of firewall rule.

I need to review my ZTNA lessons.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors