Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

ZTNA policy is blocking me

Hello everybody, 

I've been working with a ZTNA for about a year without problems.

Since Forticlient EMS upgraded to 7.2.5 version, something strange is happenening.

Screenshot 2024-10-10 alle 09.23.51.png

This user, who has always worked with ZTNA, can't access network resources anymore (he was Off-Fabric during the connection attempts).

Screenshot 2024-10-10 alle 09.19.26.png

This is one the logs:

 

date=2024-10-09 time=16:14:43 id=7423779172176101376 itime="2024-10-09 16:14:43" euid=3 epid=101 dsteuid=3 dstepid=1053 logflag=3 logver=702101706 type="traffic" subtype="ztna" level="notice" action="deny" policyid=15 sessionid=10994158 srcip=xxxx dstip=10.1.0.214 srcport=52177 dstport=3389 duration=19603 proto=6 sentbyte=10454368 rcvdbyte=31622617 logid=0005000024 service="RDP" app="RDP" appcat="unscanned" srcintfrole="wan" dstintfrole="lan" policytype="proxy-policy" eventtime=1728483282890140384 wanin=31622617 wanout=7184424 lanin=10454368 lanout=32300828 crscore=30 craction=131072 crlevel="high" poluuid="7f1a8a84-dfd7-51ee-4200-2edb944b93d3" srccountry="Italy" dstcountry="Reserved" srcintf="wan1" dstintf="internal" policyname="ZTNA to RDP" msg="Traffic denied because of failed to match a proxy-policy" threatwgts=30 threatcnts=1 threatlvls=3 threats=blocked-connection threattyps=blocked-connection tz="+0200" vip="ZTNA RDP" accessproxy="ZTNA RDP" gatewayid=1 proxyapptype="http" clientdevicemanageable="manageable" devid="FGT60FTK23099PH2" vd="root" dtime="2024-10-09 16:14:43" itime_t=1728483283 devname="ntd-fg"

 

The most interesting part I think is msg="Traffic denied because of failed to match a proxy-policy".

But, if we check the policy, nothing should be blocked:

 

This is a firewall policy.

Screenshot 2024-10-10 alle 09.22.24.png

Screenshot 2024-10-10 alle 09.22.24.png

The error is saying something about a proxy-policy (that I don't have). Is this the problem? I don't think so, because ZTNA worked until yesterday. 

What do you think?

RDP
RDP
1 Solution
raffaeledp

I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS. 

RDP

View solution in original post

RDP
3 REPLIES 3
soolani
New Contributor


@raffaeledpdinosaur utahnced wrote:

Hello everybody, 

I've been working with a ZTNA for about a year without problems.

Since Forticlient EMS upgraded to 7.2.5 version, something strange is happenening.

Screenshot 2024-10-10 alle 09.23.51.png

This user, who has always worked with ZTNA, can't access network resources anymore (he was Off-Fabric during the connection attempts).

Screenshot 2024-10-10 alle 09.19.26.png

This is one the logs:

 

date=2024-10-09 time=16:14:43 id=7423779172176101376 itime="2024-10-09 16:14:43" euid=3 epid=101 dsteuid=3 dstepid=1053 logflag=3 logver=702101706 type="traffic" subtype="ztna" level="notice" action="deny" policyid=15 sessionid=10994158 srcip=xxxx dstip=10.1.0.214 srcport=52177 dstport=3389 duration=19603 proto=6 sentbyte=10454368 rcvdbyte=31622617 logid=0005000024 service="RDP" app="RDP" appcat="unscanned" srcintfrole="wan" dstintfrole="lan" policytype="proxy-policy" eventtime=1728483282890140384 wanin=31622617 wanout=7184424 lanin=10454368 lanout=32300828 crscore=30 craction=131072 crlevel="high" poluuid="7f1a8a84-dfd7-51ee-4200-2edb944b93d3" srccountry="Italy" dstcountry="Reserved" srcintf="wan1" dstintf="internal" policyname="ZTNA to RDP" msg="Traffic denied because of failed to match a proxy-policy" threatwgts=30 threatcnts=1 threatlvls=3 threats=blocked-connection threattyps=blocked-connection tz="+0200" vip="ZTNA RDP" accessproxy="ZTNA RDP" gatewayid=1 proxyapptype="http" clientdevicemanageable="manageable" devid="FGT60FTK23099PH2" vd="root" dtime="2024-10-09 16:14:43" itime_t=1728483283 devname="ntd-fg"

 

The most interesting part I think is msg="Traffic denied because of failed to match a proxy-policy".

But, if we check the policy, nothing should be blocked:

 

This is a firewall policy.

Screenshot 2024-10-10 alle 09.22.24.png

Screenshot 2024-10-10 alle 09.22.24.png

The error is saying something about a proxy-policy (that I don't have). Is this the problem? I don't think so, because ZTNA worked until yesterday. 

What do you think?


It seems the issue might be related to the recent FortiClient EMS upgrade to version 7.2.5. The error message about "failed to match a proxy-policy" could indicate a configuration mismatch that was introduced during the upgrade, even though you don't have a proxy-policy in place. I would suggest reviewing any changes made to your ZTNA policies after the upgrade and double-checking the FortiClient settings to ensure they're still aligned with your network requirements.

my.nced
raffaeledp

Thank you for your reply. But I really don't understand one thing: all the settings has always been the same. Nothing changed. I checked, but everything is the same as before...this is really bad...

RDP
RDP
raffaeledp

I solved the problem. The solution was to create manually the XML ZTNA configuration. I had to shift down the "gateways" tag, in order to be correctly recognized by the Forticlient on macOS. 

RDP
RDP
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors