Using Debug Commands for Effective ZTNA Troubleshooting on FortiGate

Published on: 12-08-2024 By Saurabh Yadav

Understanding ZTNA Troubleshooting on FortiGate

Zero Trust Network Access (ZTNA) is a crucial security framework that enforces a 'never trust, always verify' approach for network access. In FortiGate firewalls, ZTNA implementation requires precise configuration and sometimes needs effective troubleshooting to ensure seamless operations. This is where the FortiGate debug commands come into play.

Vital Debug Commands for ZTNA Troubleshooting

Here's a tailored list of FortiGate debug commands specifically for ZTNA troubleshooting, along with their descriptions:

  • # diagnose endpoint fctems test-connectivity <EMS>
    Verify FortiGate to FortiClient EMS connectivity.
  • # execute fctems verify <EMS>
    Verify the FortiClient EMS’s certificate.
  • # diagnose test application fcnacd 2
    Dump the EMS connectivity information.
  • # diagnose debug app fcnacd -1
    # diagnose debug enable
    Run real-time FortiClient NAC daemon debugs.
  • # diagnose endpoint ec-shm list <ip> <mac> <EMS_serial_number> <EMS_tenant_id>
    Display an endpoint record list with optional filters.

Ensuring FortiGate to EMS Connectivity

Successful connectivity between FortiGate and FortiClient EMS is fundamental for ZTNA:

  • # diagnose endpoint fctems test-connectivity WIN10-EMS
    Run this command to ensure FortiGate to EMS connection is successful.
  • # execute fctems verify WIN10-EMS
    This verifies that the server certificate has already been verified.

Real-Time Debugging with NAC

If issues persist, use real-time debugging with the FortiClient NAC daemon:

  • # diagnose debug app fcnacd -1
    # diagnose debug enable
    Collect detailed connectivity logs for further analysis.

Endpoint Information Verification

Utilize the following commands to collect comprehensive endpoint information:

  • # diagnose endpoint ec-shm list 10.6.30.214
    Gather network, registration, and device information along with vulnerability status.
  • # diagnose endpoint lls-comm send ztna find-uid <uid> <EMS_serial_number> <EMS_tenant_id>
    Query endpoints by client UID, EMS serial number, and EMS tenant ID.

Querying from WAD Diagnose Commands

Use WAD diagnose commands to dig deeper into ZTNA diagnostics:

  • # diagnose wad dev query-by uid <uid> <EMS_serial_number> <EMS_tenant_id>
    Query from WAD by user ID, providing detailed endpoint attributes.
  • # diagnose wad dev query-by ipv4 <ip>
    Query from WAD by IP address.

Handling Proxy-Related Processing

Understand how WAD daemon processes proxy requests using debug commands:

  • # diagnose wad debug enable category all
    # diagnose wad debug enable level verbose
    # diagnose debug enable
    Conduct real-time proxy processing debug.
  • [0x7fbd7a46bb60] Received request from client: 10.10.10.20:56312 GET / HTTP/1.1 Host: 192.168.2.86:8443...
    Inspect client requests, responses, and debug outputs to determine how requests are processed.
Conclusion:

These debugging tools are instrumental in efficiently diagnosing and resolving ZTNA-related issues on FortiGate devices. Incorporating these steps into your troubleshooting process can significantly streamline your network security efforts.