Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

ZTNA ssh proxy not working with some SSH clients.

Forticlient 7.2.1

Windows 10
JetBrains/DataGrip SSH client

Putty 0.76

When setting up a ZTNA destination I can connect to devices using putty/ssh and everything works. When using JetBrains/DataGrip database IDE that uses the openSSH library, the application never connects.

I was under the impression that ZTNA would intercept and proxy traffic based on destination address/port but the forticlient seems to not try to proxy the openSSH client at all. Traffic from the IDE application is still trying to use regular routing for the ZTNA Destination.

https://www.jetbrains.com/help/datagrip/configuring-ssh-and-ssl.html#ssl 

1 Solution
aguerriero
Contributor II

Looks like it is the UI timing out before the forticlient can intercept the traffic. I'll take this to the jet brains forum to see if there is something that can be changed there.

View solution in original post

2 REPLIES 2
aguerriero
Contributor II

From the attached screenshots I can use the jetbrain ssh client to ssh to any destination that is not ztna (100.99.32.148).

I can use the windows openssh client from cli and get the fortigate/FAC MFA prompt for ztna destination 10.235.0.1. The jetbrain client is set to use the windows openssh client.

When using this netbrain client the connection times out because it is trying to use my networks default gateway instead of the forticlient proxy to reach 10.235.0.1

Is there some way to let the forticlient know that port 22 from this application to a ztna destination needs to be processed by the forticlient and not use default routing?


Jetbrain to non ztna destinationJetbrain to non ztna destinationjetbrain using openssh to ztna destinationjetbrain using openssh to ztna destinationwindows command prompt to ztna destinationwindows command prompt to ztna destination

aguerriero
Contributor II

Looks like it is the UI timing out before the forticlient can intercept the traffic. I'll take this to the jet brains forum to see if there is something that can be changed there.

Labels
Top Kudoed Authors