Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    ZTNA for UDP traffic NEW

    ZTNA for UDP traffic NEW

    ZTNA supports UDP traffic from FortiClient 7.4.1 and later endpoints. When UDP traffic to a destination is detected, FortiClient forms a UDP connection over QUIC to the FortiProxy ZTNA gateway. After authentication, security posture check, and authorization, FortiProxy forms a connection with the destination and the end-to-end UDP traffic passes through.

    Scope and limitations

    • FortiClient endpoint must be running 7.4.1 or later.

    • FortiClient EMS 7.4.1 and later supports the option to enable UDP on a ZTNA application.

    CLI syntax

    In order to support UDP traffic forwarding, the FortiProxy VIP associated with the ZTNA server configurations must have h3-support enabled.

    config firewall vip
  edit <ZTNA VIP>
    set type access-proxy
    set h3-support {enable | disable}
  next
end

    The remaining UDP applications can be configured under the firewall access-proxy configuration:

    config firewall access-proxy
    edit <name>
        set vip <ZTNA VIP>
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address <UDP application address>
                        set mappedport <UDP application port(s)>
                    next
		end
            next
        end
    next
end

    FortiClient EMS configuration

    From the FortiClient EMS server, you must change the ZTNA applications to enable UDP.

    Example

    When an application on an endpoint initializes UDP traffic, FortiClient forms a UDP connection over QUIC to the FortiProxy ZTNA gateway (10.0.3.10:9043). After authentication, security posture check, and authorization, FortiProxy forms a UDP connection with the destination (quic.nginx.org), and the end-to-end UDP traffic passes through, allowing the endpoint to reach three different destinations through UDP.

    To configure FortiProxy:
    config firewall vip
    edit "ztna_vip"
        set uuid 0c0e724e-a60b-51ef-db23-26940edc4402
        set type access-proxy
        set server-type https
        set extip 10.1.20.1
        set h3-support enable
        set extintf "any"
        set extport 8888
        set ssl-certificate "Fortinet_SSL"
    next
    edit "doq_cert"
        set uuid 947371a4-a6ae-51ef-fec3-6b7f0b14c59f
        set type access-proxy
        set server-type https
        set extip 10.1.20.5
        set h3-support enable
        set extintf "any"
        set extport 8888
        set ssl-certificate "Fortinet_SSL"
    next
  edit "dns_vip"
        set uuid 1c8a8cca-a6c4-51ef-80d6-b867b9235367
        set type access-proxy
        set server-type https
        set extip 10.1.20.9
        set h3-support enable
        set extintf "any"
        set extport 8888
        set ssl-certificate "Fortinet_SSL"
    next     
end   


config firewall address
    edit "server_33"
        set uuid 3a3123d8-a60b-51ef-c7d6-94bf48dcd7e8
        set subnet 172.18.76.33 255.255.255.255
next
edit "server94.140.14.14"
        set uuid 6d936346-a6ae-51ef-886a-bdead78dfa81
        set subnet 94.140.14.14 255.255.255.255
    next
end


config firewall access-proxy
    edit "access-proxy"
        set vip "ztna_vip"
        config api-gateway
            edit 5
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "server_33"
                        set mappedport 443 
                    next
                end
            next
        end
    next
    edit "doq_cert"
        set vip "doq_cert"
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "server94.140.14.14"
                        set mappedport 853 
                    next
                end
            next
        end
    next 
    edit "access-proxy1"
        set vip "dns_vip"
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "1.0.0.1"
                        set mappedport 53 
                    next
                end
            next
        end
    next 
end     

config firewall policy
edit 4
        set type access-proxy
        set status disable
        set name "tc1"
        set uuid 37bb5da4-a6b4-51ef-de42-7f4108602748
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "doq_cert"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction enable
        set extended-log enable
        set ssl-ssh-profile "certificate-inspection"
    next 
    edit 6
        set type access-proxy
        set status disable
        set name "tc2"
        set uuid 245671fc-a6c5-51ef-0310-b41eac08fd57
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "access-proxy1"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction enable
        set extended-log enable
        set ssl-ssh-profile "certificate-inspection"
    next 
    edit 7
        set type access-proxy
        set name "tc3"
        set uuid ecb22964-a6c7-51ef-3b66-9aed56737e89
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "access-proxy"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction enable
        set extended-log enable
        set ssl-ssh-profile "certificate-inspection"
next
end
    To configure FortiClient EMS:

    1. From Fabric & Connectors > ZTNA Application Catalog, locate each application retrieved from the FortiProxy.

    2. Edit each application, and select Enable UDP.

    3. Go to Endpoint Profiles > ZTNA Destinations, and edit the Default profile.

    4. Under Rules, click +Add. Select the applications learned from the FortiProxy, and then click Finish.

    5. Click Save to save this profile, and push changes to managed FortiClients.

    To verify:

    1. Verify DNS over QUIC by running doq script from Linux terminal and checking the logs in FortiProxy:

      Sample logs: 

      # exec log filter field subtype ztna
      # exec log display 
215 logs found.
10 logs returned.
50.9% of logs has been searched.
date=2024-11-28 time=13:32:48 eventtime=1732829567500943296 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=45660 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.5 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1835553063 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=4 policytype="proxy-policy" poluuid="37bb5da4-a6b4-51ef-de42-7f4108602748" policyname="tc1" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="doq_cert" accessproxy="doq_cert" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

29: date=2024-11-28 time=13:31:27 eventtime=1732829487500544467 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=45640 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.5 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1835553062 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=4 policytype="proxy-policy" poluuid="37bb5da4-a6b4-51ef-de42-7f4108602748" policyname="tc1" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="doq_cert" accessproxy="doq_cert" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

    2. Verify the DNS and check the logs in FortiProxy:

      Sample logs: 

      # exec log filter field subtype ztna

# exec log display
23 logs found.
10 logs returned.
5.1% of logs has been searched.

1: date=2024-11-29 time=09:53:09 eventtime=1732902789224747854 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=54305 srcintf="port1" srcintfrole="undefined" dstcountry="Australia" srccountry="Reserved" dstip=1.0.0.1 dstport=53 dstintf="port1" dstintfrole="undefined" service="DNS" proxyapptype="http" proto=17 action="accept" policyid=6 policytype="proxy-policy" poluuid="245671fc-a6c5-51ef-0310-b41eac08fd57" policyname="tc2" appcat="unscanned" duration=15 wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

    3. Verify traffic to http3 (QUIC) and check the logs in FortiProxy:

      Sample logs: 

      1: date=2024-11-29 time=10:03:29 eventtime=1732903409010463530 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=38410 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.1 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1366711345 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="ztna_vip" accessproxy="access-proxy" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

2: date=2024-11-29 time=10:02:09 eventtime=1732903329010694544 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=38408 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.1 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1366711344 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="ztna_vip" accessproxy="access-proxy" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

3: date=2024-11-29 time=10:02:07 eventtime=1732903326273388765 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=34650 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.18.76.33 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1366711342 service="udp/443" proxyapptype="http" proto=17 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" trandisp="snat" transip=0.0.0.0 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=102 vip="ztna_vip" accessproxy="access-proxy" clientdevicemanageable="manageable" clientcert="yes" wanin=0 rcvdbyte=0 wanout=0 lanin=19092 sentbyte=19092 lanout=13250 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

4: date=2024-11-29 time=10:01:06 eventtime=1732903266274561819 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=34650 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.18.76.33 dstport=443 dstintf="port1" dstintfrole="undefined" service="udp/443" proxyapptype="http" proto=17 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" appcat="unscanned" duration=35 wanin=0 rcvdbyte=0 wanout=0 lanin=1200 sentbyte=1200 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

5: date=2024-11-29 time=10:00:59 eventtime=1732903259718201554 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=34650 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.18.76.33 dstport=443 dstintf="port1" dstintfrole="undefined" service="udp/443" proxyapptype="http" proto=17 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" appcat="unscanned" duration=35 wanin=0 rcvdbyte=0 wanout=0 lanin=1200 sentbyte=1200 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

6: date=2024-11-29 time=10:00:48 eventtime=1732903249011046552 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=38406 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.1 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1366711343 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="ztna_vip" accessproxy="access-proxy" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19
    Previous
    Next

    ZTNA for UDP traffic NEW

    ZTNA for UDP traffic NEW

    ZTNA supports UDP traffic from FortiClient 7.4.1 and later endpoints. When UDP traffic to a destination is detected, FortiClient forms a UDP connection over QUIC to the FortiProxy ZTNA gateway. After authentication, security posture check, and authorization, FortiProxy forms a connection with the destination and the end-to-end UDP traffic passes through.

    Scope and limitations

    • FortiClient endpoint must be running 7.4.1 or later.

    • FortiClient EMS 7.4.1 and later supports the option to enable UDP on a ZTNA application.

    CLI syntax

    In order to support UDP traffic forwarding, the FortiProxy VIP associated with the ZTNA server configurations must have h3-support enabled.

    config firewall vip
  edit <ZTNA VIP>
    set type access-proxy
    set h3-support {enable | disable}
  next
end

    The remaining UDP applications can be configured under the firewall access-proxy configuration:

    config firewall access-proxy
    edit <name>
        set vip <ZTNA VIP>
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address <UDP application address>
                        set mappedport <UDP application port(s)>
                    next
		end
            next
        end
    next
end

    FortiClient EMS configuration

    From the FortiClient EMS server, you must change the ZTNA applications to enable UDP.

    Example

    When an application on an endpoint initializes UDP traffic, FortiClient forms a UDP connection over QUIC to the FortiProxy ZTNA gateway (10.0.3.10:9043). After authentication, security posture check, and authorization, FortiProxy forms a UDP connection with the destination (quic.nginx.org), and the end-to-end UDP traffic passes through, allowing the endpoint to reach three different destinations through UDP.

    To configure FortiProxy:
    config firewall vip
    edit "ztna_vip"
        set uuid 0c0e724e-a60b-51ef-db23-26940edc4402
        set type access-proxy
        set server-type https
        set extip 10.1.20.1
        set h3-support enable
        set extintf "any"
        set extport 8888
        set ssl-certificate "Fortinet_SSL"
    next
    edit "doq_cert"
        set uuid 947371a4-a6ae-51ef-fec3-6b7f0b14c59f
        set type access-proxy
        set server-type https
        set extip 10.1.20.5
        set h3-support enable
        set extintf "any"
        set extport 8888
        set ssl-certificate "Fortinet_SSL"
    next
  edit "dns_vip"
        set uuid 1c8a8cca-a6c4-51ef-80d6-b867b9235367
        set type access-proxy
        set server-type https
        set extip 10.1.20.9
        set h3-support enable
        set extintf "any"
        set extport 8888
        set ssl-certificate "Fortinet_SSL"
    next     
end   


config firewall address
    edit "server_33"
        set uuid 3a3123d8-a60b-51ef-c7d6-94bf48dcd7e8
        set subnet 172.18.76.33 255.255.255.255
next
edit "server94.140.14.14"
        set uuid 6d936346-a6ae-51ef-886a-bdead78dfa81
        set subnet 94.140.14.14 255.255.255.255
    next
end


config firewall access-proxy
    edit "access-proxy"
        set vip "ztna_vip"
        config api-gateway
            edit 5
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "server_33"
                        set mappedport 443 
                    next
                end
            next
        end
    next
    edit "doq_cert"
        set vip "doq_cert"
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "server94.140.14.14"
                        set mappedport 853 
                    next
                end
            next
        end
    next 
    edit "access-proxy1"
        set vip "dns_vip"
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "1.0.0.1"
                        set mappedport 53 
                    next
                end
            next
        end
    next 
end     

config firewall policy
edit 4
        set type access-proxy
        set status disable
        set name "tc1"
        set uuid 37bb5da4-a6b4-51ef-de42-7f4108602748
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "doq_cert"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction enable
        set extended-log enable
        set ssl-ssh-profile "certificate-inspection"
    next 
    edit 6
        set type access-proxy
        set status disable
        set name "tc2"
        set uuid 245671fc-a6c5-51ef-0310-b41eac08fd57
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "access-proxy1"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction enable
        set extended-log enable
        set ssl-ssh-profile "certificate-inspection"
    next 
    edit 7
        set type access-proxy
        set name "tc3"
        set uuid ecb22964-a6c7-51ef-3b66-9aed56737e89
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set access-proxy "access-proxy"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction enable
        set extended-log enable
        set ssl-ssh-profile "certificate-inspection"
next
end
    To configure FortiClient EMS:

    1. From Fabric & Connectors > ZTNA Application Catalog, locate each application retrieved from the FortiProxy.

    2. Edit each application, and select Enable UDP.

    3. Go to Endpoint Profiles > ZTNA Destinations, and edit the Default profile.

    4. Under Rules, click +Add. Select the applications learned from the FortiProxy, and then click Finish.

    5. Click Save to save this profile, and push changes to managed FortiClients.

    To verify:

    1. Verify DNS over QUIC by running doq script from Linux terminal and checking the logs in FortiProxy:

      Sample logs: 

      # exec log filter field subtype ztna
      # exec log display 
215 logs found.
10 logs returned.
50.9% of logs has been searched.
date=2024-11-28 time=13:32:48 eventtime=1732829567500943296 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=45660 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.5 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1835553063 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=4 policytype="proxy-policy" poluuid="37bb5da4-a6b4-51ef-de42-7f4108602748" policyname="tc1" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="doq_cert" accessproxy="doq_cert" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

29: date=2024-11-28 time=13:31:27 eventtime=1732829487500544467 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=45640 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.5 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1835553062 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=4 policytype="proxy-policy" poluuid="37bb5da4-a6b4-51ef-de42-7f4108602748" policyname="tc1" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="doq_cert" accessproxy="doq_cert" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

    2. Verify the DNS and check the logs in FortiProxy:

      Sample logs: 

      # exec log filter field subtype ztna

# exec log display
23 logs found.
10 logs returned.
5.1% of logs has been searched.

1: date=2024-11-29 time=09:53:09 eventtime=1732902789224747854 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=54305 srcintf="port1" srcintfrole="undefined" dstcountry="Australia" srccountry="Reserved" dstip=1.0.0.1 dstport=53 dstintf="port1" dstintfrole="undefined" service="DNS" proxyapptype="http" proto=17 action="accept" policyid=6 policytype="proxy-policy" poluuid="245671fc-a6c5-51ef-0310-b41eac08fd57" policyname="tc2" appcat="unscanned" duration=15 wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

    3. Verify traffic to http3 (QUIC) and check the logs in FortiProxy:

      Sample logs: 

      1: date=2024-11-29 time=10:03:29 eventtime=1732903409010463530 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=38410 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.1 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1366711345 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="ztna_vip" accessproxy="access-proxy" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

2: date=2024-11-29 time=10:02:09 eventtime=1732903329010694544 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=38408 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.1 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1366711344 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="ztna_vip" accessproxy="access-proxy" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

3: date=2024-11-29 time=10:02:07 eventtime=1732903326273388765 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=34650 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.18.76.33 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1366711342 service="udp/443" proxyapptype="http" proto=17 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" trandisp="snat" transip=0.0.0.0 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=102 vip="ztna_vip" accessproxy="access-proxy" clientdevicemanageable="manageable" clientcert="yes" wanin=0 rcvdbyte=0 wanout=0 lanin=19092 sentbyte=19092 lanout=13250 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

4: date=2024-11-29 time=10:01:06 eventtime=1732903266274561819 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=34650 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.18.76.33 dstport=443 dstintf="port1" dstintfrole="undefined" service="udp/443" proxyapptype="http" proto=17 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" appcat="unscanned" duration=35 wanin=0 rcvdbyte=0 wanout=0 lanin=1200 sentbyte=1200 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

5: date=2024-11-29 time=10:00:59 eventtime=1732903259718201554 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=34650 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.18.76.33 dstport=443 dstintf="port1" dstintfrole="undefined" service="udp/443" proxyapptype="http" proto=17 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" appcat="unscanned" duration=35 wanin=0 rcvdbyte=0 wanout=0 lanin=1200 sentbyte=1200 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19

6: date=2024-11-29 time=10:00:48 eventtime=1732903249011046552 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.41 srcport=38406 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.20.1 dstport=8888 dstintf="port1" dstintfrole="undefined" sessionid=1366711343 service="tcp/8888" proxyapptype="http" proto=6 action="accept" policyid=7 policytype="proxy-policy" poluuid="ecb22964-a6c7-51ef-3b66-9aed56737e89" policyname="tc3" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.41 appcat="unscanned" duration=0 vip="ztna_vip" accessproxy="access-proxy" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0 fctuid="6F6248B158C74FF98905ADCE528DB1E7" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19
    Previous
    Next