- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ZTNA Access Denied with Forticlient on Fedora
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ZTNA Access Denied with Forticlient on Fedora
Dear colleagues,
I don't get ZTNA running with Forticlient on Fedora Linux. I always get the massage
"ZTNA Access Denied
The page you requested has been blocked by a ZTNA restriction.
Details: Invalid ZTNA client certificate"
I tried Firefox, Chromium and Brave as Browsers but got the same result.
I rejoined the client to EMS, I reinstalled Forticlient but no change. Is there someone with the same problem or anybody who could help?
Forticlient 7.2.2.0753
EMS Forticloud
Fortigate 7.0.12
kind regards
stephan
Solved! Go to Solution.
Labels:
- Labels:
-
FortiClient
-
FortiClient EMS
-
ZTNA
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the end I could fix it by using another device. It was not working on my Lenovo T480 together with Linux even though it is working on T480 with windows. So just be informed that you may have trouble with some devices and Linux by using Forticlient which can maybe not be solved.
best
stephan
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Setphan ,
In Windows, FortiClient automatically installs certificates into the certificate store. The certificate information in the store, such as certificate UID and SN, should match the information on FortiClient EMS and FortiGate.
To locate certificates on endpoint consult the vendor documentation.
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error message you're seeing relates to the ZTNA client certificate. These certificates are crucial for ensuring a secure connection between the client and the server. If the certificate is expired, corrupted, or not trusted, it can lead to such issues.
- Check if the ZTNA client certificate is still valid. Expired certificates will need to be renewed.
- Ensure that the certificate is correctly installed and that the FortiClient software has the necessary permissions to access it.
- Sometimes, it might help to manually import the certificate into the system's trusted certificate store.
Siddhanth Poojary
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi@sschuster,
If your FortiClient is connected to EMS, your client device should receive ZTNA client certificate.
On Fedora, you can verify if the certificate is imported into NSS shared DB with the bellow command:
certutil -d sql:$HOME/.pki/nssdb -Ln 'FortiClient ZTNA'
If you don't see any certificate there, maybe check if TPM is enabled in your BIOS (or VM config).
If you you can see the details of the ZTNA certificate, maybe just try closing ALL of your browser windows and then starting them again. Your browsers should prompt you to submit a ZTNA certificate when accessing ZTNA secured website.
If you get stuck, I'd suggest opening a TAC Support ticket.
HTH,
Boris
Boris
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sschuster
Can you please check, if the forticlient learned the tags from EMS that you are trying to access the service or application?
Regards,
Vinay HM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Tags are displayed. The connection to EMS looks good.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your Aswers so far.
certutil -d sql:$HOME/.pki/nssdb -Ln 'FortiClient ZTNA'shows the certificate (but it takes really long time, >10sec?) and the browsers are showing the popup to select the client cert.
Unfortunately I don't have logs about whats happening during that certificate check.
Fortigate is not logging this in the ZTNA logs, Forticlient seems to log nothing as well and the browser, started in terminal, does not show sothing as well.
The only thing I could find is
{
"request_time": "Mon Oct 9 13:40:59 2023 CEST",
"receive_time": "Mon Oct 9 13:43:35 2023 CEST",
"request_reason": "client certificate cannot be found on the system",
"cert_serial": "[removed by me]",
"ems_serial": "[removed by me]",
"ems_address": "fct-[removed by me].forticlient-emsproxy.forticloud.com"
}
in /var/log/forticlient/ztna-cert.info.
best
stephan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sschuster
Can you please give the output of the below command to the user?
diagnose endpoint record list
Is the EMS serial number and client cert matching on the Fortigate and EMS server?
Regards,
Vinay HM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Fedora machine is not in the list. Checking Fortigate to find out why
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Fortigate shows only 3 offline users/machines but none of the devices currently as online displayed in EMS. I activated "share all Forticlients" in the "fabric devices" setting in EMS but without any effect. The Connection between Fortigate and EMS seems to be working. If I create a new ZTNA Tag, its showed on the Fortigate.
Related Posts
- EMS cloud: Registration attempt by Endpoint... 730 Views
- FortiClient certificate warning on Linux 625 Views
- SSLVPN SSO - access denied and... 635 Views
- Unable to connect with linux forticlient... 513 Views
- Unable to run/connect VPN using Forticlient... 683 Views
Labels
-
FortiGate
6,542 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
70 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
FortiAuthenticator
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.