Description
This article describes a possible cause of ZTNA Tags not synchronizing to FortiGate
If object tagging has been configured and any entries other than the 'default' have been created, ZTNA Tags may fail to be synchronized from FortiClient EMS to FortiGate.
The Object Tagging feature has been removed from the Graphical User Interface (GUI) of FortiOS since version 6.2.1; however, it was kept in the CLI for users who use automation and scripts.
An example of object tagging configuration is shown below.
config system object-tagging
edit "default"
next
edit "public"
set address mandatory
set device mandatory
set interface mandatory
set color 7
set tags "public"
next
end
Regardless of successful connectivity between FortiClient EMS and FortiGate Security Fabric Connector, the 'mandatory' check may block the ZTNA tags from being added to FortiGate.
The following debug logs can be enabled to identify this issue:
diagnose debug application fcnacd -1
diagnose endpoint filter show-large-data yes
diagnose debug enable
The following error can be observed.
"result": "DYNAMIC_ADDRESS_UPDATE_RETVAL_CMDB_ERROR" } [ec_ez_worker_process:426] Call completed with failure.
obj-id: 12, desc: "REST API to get updates of tag endpoints.", entry: "api/v1/report/fct/tags".
error info: Error (-1@_tags_uuid_process_result:116). Processing API failed.
Scope
FortiGate v7.0+ and v7.2+.
Solution
This is a known issue registered under ID 861316, which is resolved in FortiOS version 7.4.0.
Starting with FortiOS v7.4.0, this mandatory check will be bypassed for ZTNA Tags that can be added from the FCNAC daemon itself.
The workaround is to remove any custom object tagging entries from 'config system object-tagging'.
From the previous example, the below commands may be used.
config system object-tagging
delete "public"
end
