Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Peter3
New Contributor II

Created on ‎08-22-2023 03:38 AM

fortiGate matches the ztna-ems-tag

When using fortiClient to connect to ssl-vpn, does fortiGate's firewall policy allow ssl-vpn traffic?

 

image.png

 

1. Connect to ZERO TRUST TELEMETRY and pass the ztna authentication. forticlient obtains the ZTNA-EMS-TAG

2. Connect ssl-vpn to fortiGate,

3. The fortiGate policy is as follows: Do not check the ztna-ems-tag

config firewall policy
edit 1
set name "Allow_sslvpn_users"
set uuid 7f32310a-131c-511e-283d-23f23f23fcb164
set srcintf "ssl.root"
set dstintf "port1"
set action accept
set ztna-status enable
set srcaddr "SSL_VPN"
set dstaddr "PRIVATE"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set ips-sensor "default"
set users "test"
next
end

 

Question: Will ssl-vpn traffic be allowed?

Regards,
Regards,
Labels:
345
0 Kudos
1 REPLY 1
pgautam
Staff
Staff

Created on ‎08-23-2023 10:22 AM

Hi @Peter3 


Thank you for posting your query.

Yes, you can use EMS ZTNA tags on VPN policies.

Please refer to "IP/MAC-based access control" page no 1126 in the below link:-

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/187b45d8-d7ee-11ed-8e6d-fa163e...

Please check the below community for the use case discussion:-

https://community.fortinet.com/t5/Support-Forum/Fortigate-ZTNA-Tag-added-in-policy-SSLVPN-cannot-acc...

 

Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution

 

 

 

 

310
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.