- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ZTNA not working. Help please.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ZTNA not working. Help please.
Hello,
I'm trying to get ZTNA up and running and have the following:
EMS and FortiClients running 7.2.4
FGT600F running 7.0.14, linked to EMS and 'seeing' the configured ZTNA tags
I have successfully set up ZTNA tags and policies on EMS and I can see these on the FortiClients. The clients are showing the tags that I expect.
I have a ZTNA profile configured on the EMS as follows (IPs are made up but principle is the same):
Destination Host: 10.1.1.1:443 (real IP and port of the server)
Proxy Gateway: 111.112.113.114:9443 (external IP and port configured in ZTNA server on 600F)
I have configured the ZTNA server on the 600F as follows:
External IP: 111.112.113.114
External port: 9443
Certificate: <valid wildcard cert>
Server Mapping:
- Type: IPv4
- Service: HTTPS
- Virtual Host: Any
- Match path by: Substring
- Path: /
- Server type: IP
- Server IP: 10.1.1.1
- Server Port: 443
- Server Status: Active
I have a ZTNA rule on the 600F as follows:
Incoming interface: Internet Interface
Source: all
ZTNA tags: <applied using tags that are on the forticlients>
Match tags: any
ZTNA Server: <the server configured above>
Destination: all
Action: Accept
Policy: Enabled
From inside the network (on-fabric), I can merrily browse to 10.1.1.1:443 so I know the server is up and listening.
From out the network (off-fabric) on a laptop that has FortiClient running and connected to EMS, I can successfully browse directly to the proxy gateway at: 111.112.113.114:9443. The firewall prompts for the certificate from EMS on the client side and then allows the connection. This proves the ZTNA tags and ZTNA rule is working. If I apply a tag that the client does not have, the firewall does not allow the connection and give me a ZTNA error. Good.
From out the network (off-fabric) on a laptop that has FortiClient running and connected to EMS, if I browse to 10.1.1.1:443, the client does correctly 'proxy' this to 111.112.113.114:9443 because I can see this arrive on the firewall via a packet capture. But the firewall does not proxy the connection to the real server. No error. Just a timeout.
Any ideas? I'm pretty sure I've configured everything correctly. Could it be a bug?
Many thanks in advance!
Labels:
- Labels:
-
ZTNA
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Matt,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks @Anthony_E.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATE: seems some existing VIPs were conflicting with the ZTNA config. Removed the VIPs and now it work working. However, it only works via TCP forwarding. It doesn't work with native HTTPS. Any ideas why this might be?
Created on 04-22-2024 07:27 AM Edited on 04-22-2024 07:37 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When browsing the ZTNA server for the internal network, on-fabric. Most likely this kind of issue occurred due to the hairpin effect.
You can resolve this issue by applying the incoming interfaces and listening interface (wan) in the ZTNA policy. Try assigning 'any' interface in the ZTNA policy, if you are unaware of the incoming interfaces.
Let us know, if that resolves the case.
Hope that helps,
Kind Regards,
Bijay Prakash Ghising
Ghising
Ghising
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mattw,
You will need to collect debugs to see why it is not working. Please refer to the following links:
You can also run packet sniffer on port 9443 to make sure it is reaching the FortiGate:
di sniffer packet any 'port 9443' 4 0 l
Regards,
Related Posts
Labels
-
FortiGate
6,587 -
FortiClient
1,312 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
SNMP
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.