Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

ZTNA not working. Help please.



I'm trying to get ZTNA up and running and have the following:

EMS and FortiClients running 7.2.4

FGT600F running 7.0.14, linked to EMS and 'seeing' the configured ZTNA tags


I have successfully set up ZTNA tags and policies on EMS and I can see these on the FortiClients. The clients are showing the tags that I expect.


I have a ZTNA profile configured on the EMS as follows (IPs are made up but principle is the same):

Destination Host: (real IP and port of the server)

Proxy Gateway: (external IP and port configured in ZTNA server on 600F)


I have configured the ZTNA server on the 600F as follows:

External IP:

External port: 9443

Certificate: <valid wildcard cert>

Server Mapping:

 - Type: IPv4

 - Service: HTTPS

 - Virtual Host: Any

 - Match path by: Substring

 - Path: /

 - Server type: IP

 - Server IP:

 - Server Port: 443

 - Server Status: Active


I have a ZTNA rule on the 600F as follows:

Incoming interface: Internet Interface

Source: all

ZTNA tags: <applied using tags that are on the forticlients>

Match tags: any

ZTNA Server: <the server configured above>

Destination: all

Action: Accept

Policy: Enabled


From inside the network (on-fabric), I can merrily browse to so I know the server is up and listening.


From out the network (off-fabric) on a laptop that has FortiClient running and connected to EMS, I can successfully browse directly to the proxy gateway at: The firewall prompts for the certificate from EMS on the client side and then allows the connection. This proves the ZTNA tags and ZTNA rule is working. If I apply a tag that the client does not have, the firewall does not allow the connection and give me a ZTNA error. Good.


From out the network (off-fabric) on a laptop that has FortiClient running and connected to EMS, if I browse to, the client does correctly 'proxy' this to because I can see this arrive on the firewall via a packet capture. But the firewall does not proxy the connection to the real server. No error. Just a timeout.


Any ideas? I'm pretty sure I've configured everything correctly. Could it be a bug?


Many thanks in advance!


Community Manager
Community Manager

Hello Matt,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.
New Contributor III

Many thanks @Anthony_E.

New Contributor III

UPDATE: seems some existing VIPs were conflicting with the ZTNA config. Removed the VIPs and now it work working. However, it only works via TCP forwarding. It doesn't work with native HTTPS. Any ideas why this might be?


When browsing the ZTNA server for the internal network, on-fabric. Most likely this kind of issue occurred due to the hairpin effect. 


You can resolve this issue by applying the incoming interfaces and listening interface (wan) in the ZTNA policy. Try assigning 'any' interface in the ZTNA policy, if you are unaware of the incoming interfaces.


Let us know, if that resolves the case.


Hope that helps, 


Kind Regards, 

Bijay Prakash Ghising


Hi @mattw,


You will need to collect debugs to see why it is not working. Please refer to the following links:


You can also run packet sniffer on port 9443 to make sure it is reaching the FortiGate:


di sniffer packet any 'port 9443' 4 0 l 



Top Kudoed Authors