Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

ZTNA does not work on macOS

Hello everybody, 

I'm working in a ZTNA environment.

Screenshot 2024-10-11 alle 09.01.17.png

 we have a simple ZTNA Firewall Policy rule that is working perfectly for each single Windows user.

All the users (windows or macos) have the same tags. 

I have these tags too (I'm a macOS user):

Screenshot 2024-10-11 alle 15.28.16.png

when a macOS user tries to access ZTNA, we can see on Fortigate an error like this:

date=2024-10-09 time=16:14:43 id=7423779172176101376 itime="2024-10-09 16:14:43" euid=3 epid=101 dsteuid=3 dstepid=1053 logflag=3 logver=702101706 type="traffic" subtype="ztna" level="notice" action="deny" policyid=15 sessionid=10994158 srcip=xxx dstip=10.1.0.214 srcport=52177 dstport=3389 duration=19603 proto=6 sentbyte=10454368 rcvdbyte=31622617 logid=0005000024 service="RDP" app="RDP" appcat="unscanned" srcintfrole="wan" dstintfrole="lan" policytype="proxy-policy" eventtime=1728483282890140384 wanin=31622617 wanout=7184424 lanin=10454368 lanout=32300828 crscore=30 craction=131072 crlevel="high" poluuid="7f1a8a84-dfd7-51ee-4200-2edb944b93d3" srccountry="Italy" dstcountry="Reserved" srcintf="wan1" dstintf="internal" policyname="ZTNA to RDP" msg="Traffic denied because of failed to match a proxy-policy" threatwgts=30 threatcnts=1 threatlvls=3 threats=blocked-connection threattyps=blocked-connection tz="+0200" vip="ZTNA RDP" accessproxy="ZTNA RDP" gatewayid=1 proxyapptype="http" clientdevicemanageable="manageable" devid="FGT60FTK23099PH2" vd="root" dtime="2024-10-09 16:14:43" itime_t=1728483283 devname="ntd-fg"

This is happening after Forticlient EMS upgrade (7.2.5 build 1061). Is there any known issue for ZTNA and macOS?

RDP
RDP
1 Solution
raffaeledp

I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS. 

RDP

View solution in original post

RDP
4 REPLIES 4
rahul_p1
Staff
Staff
raffaeledp

I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS. 

RDP
RDP
Ron_M

Can you demonstrate how to do this?

raffaeledp

Hello, take a look at this post https://community.fortinet.com/t5/Support-Forum/Bug-found-with-new-Forticlient-Update-7-2-5/td-p/348... you can find inside the initial XML configuration. 

I don't know where's the problem with the initial one, but the solution works.

This is the wrong one:

<?xml version="1.0" ?>
<forticlient_configuration>
<ztna>
<allow_personal_rules>1</allow_personal_rules>
<gateways uid="E26376A0-8370-4CFF-B5B6-1B6392F0D512">
<alias>ZTNA</alias>
<addr>xyz:13389</addr>
<redirect>1</redirect>
<rules uid="2D866340-9E8D-4CF3-A0C0-1200C546C56E">
<name>VirtualMachine</name>
<type>private</type>
<destination>xxx:3389</destination>
<encryption>1</encryption>
<enabled>1</enabled>
<mode>transparent</mode>
<local_port>7788</local_port>
</rules>
</gateways>
<notify_on_error>1</notify_on_error>
<enabled>1</enabled>
<gateways_enabled>1</gateways_enabled>
<portals_enabled>0</portals_enabled>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<rules>
<rule uid="2D866340-9E8D-4CF3-A0C0-1200C546C56E">
<name>VirtualMachine</name>
<type>private</type>
<app_uid>bcd3fa59a2e38084e53b76fbe619630a</app_uid>
<allow_all_gateways>0</allow_all_gateways>
<mask/>
<encryption>1</encryption>
<mode>transparent</mode>
<destination>xxx:3389</destination>
<local_port>7788</local_port>
<gateway>xyz:13389</gateway>
<redirect>1</redirect>
</rule>
<disabled_rules/>
</ztna>
<endpoint_control>
<ui>
<display_ztna>1</display_ztna>
</ui>
</endpoint_control>
</forticlient_configuration>
This is the correct one:
<?xml version="1.0" ?>
<forticlient_configuration>
<ztna>
<notify_on_error>1</notify_on_error>
<gateways_enabled>1</gateways_enabled>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<portals_enabled>1</portals_enabled>
<allow_personal_rules>0</allow_personal_rules>
<enabled>1</enabled>
<gateways>
<gateway>
<redirect>1</redirect>
<addr>xyz:13389</addr>
<alias>ZTNA</alias>
<rules>
<rule>
<name>VirtualMachine</name>
<mode>transparent</mode>
<enabled>1</enabled>
<destination>xxx:3389</destination>
<encryption>1</encryption>
<local_port>7788</local_port>
<type>private</type>
</rule>
</rules>
</gateway>
</gateways>
<rules>
<rule uid="27FE7A17-0D9E-41A1-9A2F-AD77022066F3">
<name>VirtualMachine</name>
<type>private</type>
<app_uid>bcd3fa59a2e38084e53b76fbe619630a</app_uid>
<allow_all_gateways>0</allow_all_gateways>
<mask/>
<encryption>1</encryption>
<mode>transparent</mode>
<destination>xxx:3389</destination>
<local_port>7788</local_port>
<gateway>xyz:13389</gateway>
<redirect>0</redirect>
</rule>
</rules>
<disabled_rules/>
</ztna>
<endpoint_control>
<ui>
<display_ztna>1</display_ztna>
</ui>
</endpoint_control>
</forticlient_configuration>

 

RDP
RDP
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors