ZTNA troubleshooting and debugging

The following debug commands can be used to troubleshoot ZTNA issues:

Command	Description
# diagnose endpoint fctems test-connectivity <EMS>	Verify FortiGate to FortiClient EMS connectivity.
# execute fctems verify <EMS>	Verify the FortiClient EMS’s certificate.
# diagnose test application fcnacd 2	Dump the EMS connectivity information.
# diagnose debug app fcnacd -1 # diagnose debug enable	Run real-time FortiClient NAC daemon debugs.
# diagnose endpoint record list <ip>	Show the endpoint record list. Optionally, filter by the endpoint IP address.
# diagnose endpoint lls-comm send ztna find-uid <uid>	Query endpoints by client UID.
# diagnose endpoint lls-comm send ztna find-ip-vdom <ip> <vdom>	Query endpoints by the client IP-VDOM pair.
# diagnose wad dev query-by uid <uid>	Query from WAD diagnose command by UID.
# diagnose wad dev query-by ipv4 <ip>	Query from WAD diagnose command by IP address.
# diagnose firewall dynamic list	List EMS ZTNA tags and all dynamic IP and MAC addresses.
# diagnose test application fcnacd 7 # diagnose test application fcnacd 8	Check the FortiClient NAC daemon ZTNA and route cache.
# diagnose wad worker policy list	Display statistics associated with access proxy rules.
# diagnose wad debug enable category all # diagnose wad debug enable level verbose # diagnose debug enable	Run real-time WAD debugs.
# diagnose debug reset	Reset debugs when completed

The WAD daemon handles proxy related processing. The FortiClient NAC daemon (fcnacd) handles FortiGate to EMS connectivity.

Troubleshooting usage and output

1. Verify the FortiGate to EMS connectivity and EMS certificate:

   # diagnose endpoint fctems test-connectivity WIN10-EMS
   Connection test was successful:
   

   # execute fctems verify WIN10-EMS
   Server certificate already verified.
   

   # diagnose test application fcnacd 2
   EMS context status:
   FortiClient EMS number 1:
           name: WIN10-EMS confirmed: yes
           fetched-serial-number: FCTEMS0000109188
   Websocket status: connected
   

2. If fcnacd does not report the proper status, run real-time fcnacd debugs:

   # diagnose debug app fcnacd -1
   # diagnose debug enable
   

3. Verify the following information about an endpoint:

   • Network information

   • Registration information

   • Client certificate information

   • Device information

   • Vulnerability status

   • Relative position with the FortiGate

   # diagnose endpoint record list 10.6.30.214
   Record #1:
                   IP Address = 10.6.30.214
                   MAC Address = 00:0c:29:ba:1e:61
                   MAC list = 00:0c:29:ba:1e:61;00:0c:29:ba:1e:6b;
                   VDOM = root (0)
                   EMS serial number: FCTEMS8821001322
                   Client cert SN: 17FF6595600A1AF53B87627AB4EBEDD032593E64
                   Quarantined: no
                   Online status: online
                   Registration status: registered
                   On-net status: on-net
                   Gateway Interface: port2
                   FortiClient version: 7.0.0
                   AVDB version: 84.778
                   FortiClient app signature version: 18.43
                   FortiClient vulnerability scan engine version: 2.30
                   FortiClient UID: 5FCFA3ECDE4D478C911D9232EC9299FD
                   Host Name: ADPC
       … 
                   Number of Routes: (1)
                           Gateway Route #0:
                                   - IP:10.1.100.214, MAC: 00:0c:29:ba:1e:6b, Indirect: no
                                   - Interface:port2, VFID:0, SN: FG5H1E5819902474
   online records: 1; offline records: 0; quarantined records: 0
   

4. Query the endpoint information, include ZTNA tags, by UID or IP address:

   # diagnose endpoint lls-comm send ztna find-uid 5FCFA3ECDE4D478C911D9232EC9299FD
   UID: 5FCFA3ECDE4D478C911D9232EC9299FD
           status code:ok
           Domain: qa.wangd.com
           User: user1
           Cert SN:17FF6595600A1AF53B87627AB4EBEDD032593E64
           EMS SN: FCTEMS8821001322
           Routes(1):
            - route[0]: IP=10.1.100.214, VDom=root
           Tags(3):
            - tag[0]: name=ZT_OS_WIN
            - tag[1]: name=all_registered_clients
            - tag[2]: name=Medium
   

   # diagnose endpoint lls-comm send ztna find-ip-vdom 10.1.100.214 root
   UID: 5FCFA3ECDE4D478C911D9232EC9299FD
           status code:ok
           Domain: qa.wangd.com
           User: user1
           Cert SN:17FF6595600A1AF53B87627AB4EBEDD032593E64
           EMS SN: FCTEMS8821001322
           Routes(1):
            - route[0]: IP=10.1.100.214, VDom=root
           Tags(3):
            - tag[0]: name=ZT_OS_WIN
            - tag[1]: name=all_registered_clients
            - tag[2]: name=Medium
   

5. Query endpoint information from WAD by UID or IP address:

   # diagnose wad dev query-by uid 5FCFA3ECDE4D478C911D9232EC9299FD
   Attr of type=0, length=32, value(ascii)=5FCFA3ECDE4D478C911D9232EC9299FD
   Attr of type=4, length=30, value(ascii)=MAC_FCTEMS8821001322_ZT_OS_WIN
   Attr of type=4, length=26, value(ascii)=FCTEMS8821001322_ZT_OS_WIN
   Attr of type=4, length=43, value(ascii)=MAC_FCTEMS8821001322_all_registered_clients
   Attr of type=4, length=39, value(ascii)=FCTEMS8821001322_all_registered_clients
   Attr of type=4, length=27, value(ascii)=MAC_FCTEMS8821001322_Medium
   Attr of type=4, length=23, value(ascii)=FCTEMS8821001322_Medium
   Attr of type=5, length=18, value(ascii)=FOSQA@qa.wangd.com
   Attr of type=6, length=40, value(ascii)=17FF6595600A1AF53B87627AB4EBEDD032593E64
   

   # diagnose wad dev query-by ipv4 10.1.100.214
   Attr of type=0, length=32, value(ascii)=5FCFA3ECDE4D478C911D9232EC9299FD
   Attr of type=4, length=30, value(ascii)=MAC_FCTEMS8821001322_ZT_OS_WIN
   Attr of type=4, length=26, value(ascii)=FCTEMS8821001322_ZT_OS_WIN
   Attr of type=4, length=43, value(ascii)=MAC_FCTEMS8821001322_all_registered_clients
   Attr of type=4, length=39, value(ascii)=FCTEMS8821001322_all_registered_clients
   Attr of type=4, length=27, value(ascii)=MAC_FCTEMS8821001322_Medium
   Attr of type=4, length=23, value(ascii)=FCTEMS8821001322_Medium
   Attr of type=5, length=18, value(ascii)=FOSQA@qa.wangd.com
   Attr of type=6, length=40, value(ascii)=17FF6595600A1AF53B87627AB4EBEDD032593E64
   

6. List all the dynamic ZTNA IP and MAC addresses learned from EMS:

   # diagnose firewall dynamic list
   List all dynamic addresses:
   FCTEMS0000109188_all_registered_clients: ID(51)
           ADDR(172.17.194.209)
           ADDR(192.168.40.8)
   …
   FCTEMS0000109188_Low: ID(78)
           ADDR(172.17.194.209)
           ADDR(192.168.40.8)
   …
   FCTEMS0000109188_Malicious-File-Detected: ID(190)
           ADDR(172.17.194.209)
           ADDR(192.168.40.8)
   …
   

7. Check the FortiClient NAC daemon ZTNA and route cache:

   # diagnose test application fcnacd 7
   ZTNA Cache:
   -uid 5FCFA3ECDE4D478C911D9232EC9299FD: { "tags": [ "ZT_OS_WIN", "all_registered_clients", "Medium" ], "domain": "qa.wangd.com", "user_name": "user1", "client_cert_sn": "17FF6595600A1AF53B87627AB4EBEDD032593E64", "owner": "FOSQA@qa.wangd.com", "gateway_route_list": [ { "gateway_info": { "fgt_sn": "FG5H1E5819902474", "interface": "port2", "vdom": "root" }, "route_info": [ { "ip": "10.1.100.214