Using Debug Commands for Effective ZTNA Troubleshooting on FortiGate
Understanding ZTNA Troubleshooting on FortiGate
Zero Trust Network Access (ZTNA) is a crucial security framework that enforces a 'never trust, always verify' approach for network access. In FortiGate firewalls, ZTNA implementation requires precise configuration and sometimes needs effective troubleshooting to ensure seamless operations. This is where the FortiGate debug commands come into play.
Vital Debug Commands for ZTNA Troubleshooting
Here's a tailored list of FortiGate debug commands specifically for ZTNA troubleshooting, along with their descriptions:
- # diagnose endpoint fctems test-connectivity <EMS>
Verify FortiGate to FortiClient EMS connectivity. - # execute fctems verify <EMS>
Verify the FortiClient EMS’s certificate. - # diagnose test application fcnacd 2
Dump the EMS connectivity information. - # diagnose debug app fcnacd -1
# diagnose debug enable
Run real-time FortiClient NAC daemon debugs. - # diagnose endpoint ec-shm list <ip> <mac> <EMS_serial_number> <EMS_tenant_id>
Display an endpoint record list with optional filters.
Ensuring FortiGate to EMS Connectivity
Successful connectivity between FortiGate and FortiClient EMS is fundamental for ZTNA:
- # diagnose endpoint fctems test-connectivity WIN10-EMS
Run this command to ensure FortiGate to EMS connection is successful. - # execute fctems verify WIN10-EMS
This verifies that the server certificate has already been verified.
Real-Time Debugging with NAC
If issues persist, use real-time debugging with the FortiClient NAC daemon:
- # diagnose debug app fcnacd -1
# diagnose debug enable
Collect detailed connectivity logs for further analysis.
Endpoint Information Verification
Utilize the following commands to collect comprehensive endpoint information:
- # diagnose endpoint ec-shm list 10.6.30.214
Gather network, registration, and device information along with vulnerability status. - # diagnose endpoint lls-comm send ztna find-uid <uid> <EMS_serial_number> <EMS_tenant_id>
Query endpoints by client UID, EMS serial number, and EMS tenant ID.
Querying from WAD Diagnose Commands
Use WAD diagnose commands to dig deeper into ZTNA diagnostics:
- # diagnose wad dev query-by uid <uid> <EMS_serial_number> <EMS_tenant_id>
Query from WAD by user ID, providing detailed endpoint attributes. - # diagnose wad dev query-by ipv4 <ip>
Query from WAD by IP address.
Handling Proxy-Related Processing
Understand how WAD daemon processes proxy requests using debug commands:
- # diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable
Conduct real-time proxy processing debug. - [0x7fbd7a46bb60] Received request from client: 10.10.10.20:56312 GET / HTTP/1.1 Host: 192.168.2.86:8443...
Inspect client requests, responses, and debug outputs to determine how requests are processed.
These debugging tools are instrumental in efficiently diagnosing and resolving ZTNA-related issues on FortiGate devices. Incorporating these steps into your troubleshooting process can significantly streamline your network security efforts.