Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Peter3
New Contributor II

fortiGate matches the ztna-ems-tag

When using fortiClient to connect to ssl-vpn, does fortiGate's firewall policy allow ssl-vpn traffic?

 

image.png

 

1. Connect to ZERO TRUST TELEMETRY and pass the ztna authentication. forticlient obtains the ZTNA-EMS-TAG

2. Connect ssl-vpn to fortiGate,

3. The fortiGate policy is as follows: Do not check the ztna-ems-tag

config firewall policy
edit 1
set name "Allow_sslvpn_users"
set uuid 7f32310a-131c-511e-283d-23f23f23fcb164
set srcintf "ssl.root"
set dstintf "port1"
set action accept
set ztna-status enable
set srcaddr "SSL_VPN"
set dstaddr "PRIVATE"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set ips-sensor "default"
set users "test"
next
end

 

Question: Will ssl-vpn traffic be allowed?

Regards,
Regards,
1 REPLY 1
pgautam
Staff
Staff

Hi @Peter3 


Thank you for posting your query.

Yes, you can use EMS ZTNA tags on VPN policies.

Please refer to "IP/MAC-based access control" page no 1126 in the below link:-

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/187b45d8-d7ee-11ed-8e6d-fa163e...

Please check the below community for the use case discussion:-

https://community.fortinet.com/t5/Support-Forum/Fortigate-ZTNA-Tag-added-in-policy-SSLVPN-cannot-acc...

 

Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution

 

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors