fortiGate matches the ztna-ems-tag

Peter3 · ‎08-22-2023

When using fortiClient to connect to ssl-vpn, does fortiGate's firewall policy allow ssl-vpn traffic?

1. Connect to ZERO TRUST TELEMETRY and pass the ztna authentication. forticlient obtains the ZTNA-EMS-TAG

2. Connect ssl-vpn to fortiGate,

3. The fortiGate policy is as follows: Do not check the ztna-ems-tag

config firewall policy
edit 1
set name "Allow_sslvpn_users"
set uuid 7f32310a-131c-511e-283d-23f23f23fcb164
set srcintf "ssl.root"
set dstintf "port1"
set action accept
set ztna-status enable
set srcaddr "SSL_VPN"
set dstaddr "PRIVATE"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set ips-sensor "default"
set users "test"
next
end

Question: Will ssl-vpn traffic be allowed?

Regards,

pgautam · ‎08-23-2023

Hi @Peter3

Thank you for posting your query.

Yes, you can use EMS ZTNA tags on VPN policies.

Please refer to "IP/MAC-based access control" page no 1126 in the below link:-

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/187b45d8-d7ee-11ed-8e6d-fa163e...

Please check the below community for the use case discussion:-

https://community.fortinet.com/t5/Support-Forum/Fortigate-ZTNA-Tag-added-in-policy-SSLVPN-cannot-acc...

Regards
Priyanka

- Have you found a solution? Then give your helper a "Kudos" and mark the solution

fortiGate matches the ztna-ems-tag

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website