ZTNA logging enhancements

The ZTNA log subtype is added to UTM logs and a traffic log ID is added for ZTNA related traffic.

There are six events that generate logs in the subtype:

  1. Received an empty client certificate

  2. Received a client certificate that fails to validate

  3. API gateway cannot be matched

  4. None of the real servers can be reached

  5. ZTNA rule (proxy policy) cannot be matched

  6. HTTPS SNI virtual host does not match the HTTP host header

ZTNA related traffic will generate logs when logging all allowed traffic is enabled in the policy.

To enable logging all traffic in a policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and edit a policy.

  2. Set Log Allowed Traffic to All Sessions.

  3. Click OK.

To enable logging all traffic in a policy in the CLI:
config firewall policy
    edit <policy number>
        set logtraffic all

Log samples

A client PC ( is connected to port2 on the FortiGate. The FortiGate is also connected to a FortiClient EMS, and a real server that is defined in the ZTNA server API gateway.

  • Access proxy server: zs2

  • Access proxy VIP: zv2

  • Access proxy VIP external IP address:

  • Mapped real server IP address:

UTM and traffic log samples for each of the six event types:
  1. Received an empty client certificate:

    When connecting to the ZTNA access proxy, the client did not send a client certificate to the FortiGate for verification. The empty certificate is disallo