Problem with sync EMS to Fortigate ZTNA Tags

aproost · ‎03-21-2024

Versions:
FG 7.2.8, EMS 7.2.4 and Client 7.24.

The Tags are only synced when I run Enable/Disable the EMS Fabric or by running this CLI:
diagnose test application fcnacd 99

Even TAGS aren't Matched with Endpoints in the Fortigate, but in EMS and Forticlient it's being tagged.
When I run the CLI then it's being tagged to the client.

ozkanaltas · ‎03-21-2024

Hello @aproost ,

This problem is annoying, I've experienced it many times. I created two workaround solutions for this.

The first is, if you are using fortianalyzer, to put it behind ztna and then have the clients send logs to fortianalyzer with this ip. Since this triggers the ztna connection, it wakes up the service and allows it to synchronize client IP addresses.

The second is to ensure that the command that resets the service runs at certain intervals within automation. This is not a method I recommend because the more it happens, the more burden it will be. So if you choose the second method, keep the frequency high.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

AEK · ‎03-21-2024

Can it be related to this 7.2.4's known issue?

990863

Zero trust network access (ZTNA) tags do not sync correctly between non-default EMS site and FortiGate.

AEK