Hello everybody,
I've been working with a ZTNA for about a year without problems.
Since Forticlient EMS upgraded to 7.2.5 version, something strange is happenening.
This user, who has always worked with ZTNA, can't access network resources anymore (he was Off-Fabric during the connection attempts).
This is one the logs:
date=2024-10-09 time=16:14:43 id=7423779172176101376 itime="2024-10-09 16:14:43" euid=3 epid=101 dsteuid=3 dstepid=1053 logflag=3 logver=702101706 type="traffic" subtype="ztna" level="notice" action="deny" policyid=15 sessionid=10994158 srcip=xxxx dstip=10.1.0.214 srcport=52177 dstport=3389 duration=19603 proto=6 sentbyte=10454368 rcvdbyte=31622617 logid=0005000024 service="RDP" app="RDP" appcat="unscanned" srcintfrole="wan" dstintfrole="lan" policytype="proxy-policy" eventtime=1728483282890140384 wanin=31622617 wanout=7184424 lanin=10454368 lanout=32300828 crscore=30 craction=131072 crlevel="high" poluuid="7f1a8a84-dfd7-51ee-4200-2edb944b93d3" srccountry="Italy" dstcountry="Reserved" srcintf="wan1" dstintf="internal" policyname="ZTNA to RDP" msg="Traffic denied because of failed to match a proxy-policy" threatwgts=30 threatcnts=1 threatlvls=3 threats=blocked-connection threattyps=blocked-connection tz="+0200" vip="ZTNA RDP" accessproxy="ZTNA RDP" gatewayid=1 proxyapptype="http" clientdevicemanageable="manageable" devid="FGT60FTK23099PH2" vd="root" dtime="2024-10-09 16:14:43" itime_t=1728483283 devname="ntd-fg"
The most interesting part I think is msg="Traffic denied because of failed to match a proxy-policy".
But, if we check the policy, nothing should be blocked:
This is a firewall policy.
The error is saying something about a proxy-policy (that I don't have). Is this the problem? I don't think so, because ZTNA worked until yesterday.
What do you think?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS.
@raffaeledpdinosaur utahnced wrote:
Hello everybody,
I've been working with a ZTNA for about a year without problems.
Since Forticlient EMS upgraded to 7.2.5 version, something strange is happenening.
This user, who has always worked with ZTNA, can't access network resources anymore (he was Off-Fabric during the connection attempts).
This is one the logs:
date=2024-10-09 time=16:14:43 id=7423779172176101376 itime="2024-10-09 16:14:43" euid=3 epid=101 dsteuid=3 dstepid=1053 logflag=3 logver=702101706 type="traffic" subtype="ztna" level="notice" action="deny" policyid=15 sessionid=10994158 srcip=xxxx dstip=10.1.0.214 srcport=52177 dstport=3389 duration=19603 proto=6 sentbyte=10454368 rcvdbyte=31622617 logid=0005000024 service="RDP" app="RDP" appcat="unscanned" srcintfrole="wan" dstintfrole="lan" policytype="proxy-policy" eventtime=1728483282890140384 wanin=31622617 wanout=7184424 lanin=10454368 lanout=32300828 crscore=30 craction=131072 crlevel="high" poluuid="7f1a8a84-dfd7-51ee-4200-2edb944b93d3" srccountry="Italy" dstcountry="Reserved" srcintf="wan1" dstintf="internal" policyname="ZTNA to RDP" msg="Traffic denied because of failed to match a proxy-policy" threatwgts=30 threatcnts=1 threatlvls=3 threats=blocked-connection threattyps=blocked-connection tz="+0200" vip="ZTNA RDP" accessproxy="ZTNA RDP" gatewayid=1 proxyapptype="http" clientdevicemanageable="manageable" devid="FGT60FTK23099PH2" vd="root" dtime="2024-10-09 16:14:43" itime_t=1728483283 devname="ntd-fg"
The most interesting part I think is msg="Traffic denied because of failed to match a proxy-policy".
But, if we check the policy, nothing should be blocked:
This is a firewall policy.
The error is saying something about a proxy-policy (that I don't have). Is this the problem? I don't think so, because ZTNA worked until yesterday.
What do you think?
It seems the issue might be related to the recent FortiClient EMS upgrade to version 7.2.5. The error message about "failed to match a proxy-policy" could indicate a configuration mismatch that was introduced during the upgrade, even though you don't have a proxy-policy in place. I would suggest reviewing any changes made to your ZTNA policies after the upgrade and double-checking the FortiClient settings to ensure they're still aligned with your network requirements.
Thank you for your reply. But I really don't understand one thing: all the settings has always been the same. Nothing changed. I checked, but everything is the same as before...this is really bad...
I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.