Hello,
We have an issue with configuring and using ZTNA tag for filtering internal traffic.
We would like to base our config on following example:
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/477578/ztna-ip-mac-filtering-example
but we would like to use it with many Fabric firewalls not just one (as it is shown in the example).
Here is our setup:
1) EMS server (7.2.6) assigns ZTNA tag - it works OK
2) Forti manager (7.2.8) synchronizes ZTNA config to all our firewalls (7.2.9) - it works OK
3) We configure internal traffic rules using ZTNA tag as source criteria.
Unfortunately, we discovered that above config works properly only within one firewall. That is because ZTNA tag is mapped ONLY to local IP addresses on the firewall.
Thus if we want to use ZTNA tag globally as a source criteria, it doesn't work (because particular firewall maps ZTNA tag to only local IPs and doesn't know anything about remote source IPs for that tag).
Question:
Is there a way to make ZTNA tag to be globally significant?
I.e., can every and each firewall have all ZTNA tag mappings for all IP addresses in global network (not only for its own local subnets) ?
Regards,
Krzysztof
Solved! Go to Solution.
Hi @Krzysztof1
Did you try to enable "Share all FortiClients" in "FortiClient Endpoint Sharing", under EMS > Administration > Fabric devices > your FortiGate devices?
If I'm not wrong this should share tags with not only FGTs that are directly connected to clients, but also remote FGTs that are behind routers/firewalls.
Other thing, I remember I tried to do the same with multiple firewalls and I noticed the active ZTNA clients and their tags were only detected by the firewall that was directly connected to EMS, unfortunately I didn't had the opportunity to troubleshoot further. But I guess there should be some specific traffic to allow between EMS and the remote FGT in order to get them synchronized properly (here you may need some troubleshooting).
Hope it helps.
Hi @Krzysztof1
Did you try to enable "Share all FortiClients" in "FortiClient Endpoint Sharing", under EMS > Administration > Fabric devices > your FortiGate devices?
If I'm not wrong this should share tags with not only FGTs that are directly connected to clients, but also remote FGTs that are behind routers/firewalls.
Other thing, I remember I tried to do the same with multiple firewalls and I noticed the active ZTNA clients and their tags were only detected by the firewall that was directly connected to EMS, unfortunately I didn't had the opportunity to troubleshoot further. But I guess there should be some specific traffic to allow between EMS and the remote FGT in order to get them synchronized properly (here you may need some troubleshooting).
Hope it helps.
Thanks a lot !
It looks like it did the trick.
How to get all endpoint IP details to For... - Fortinet Community
https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-get-all-endpoint-IP-details-to-Fo...
Hi,
For IP/MAC filtering based on ZTNA tags the user should be behind the FGT and the gateway of the user should be FGT interface IP
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1751 | |
1114 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.