How To - Troubleshoot Zero Trust Access Gateway (ZTAG)
This article aims to assist in troubleshooting the Kemp Zero Trust Access Gateway (ZTAG) automation script.
1 – Pre-Flight Checks
2 - Enable Logging
3 – Script Hash
4 –Logging Details
The Zero Trust Policy Builder script running includes several checks to validate the entries within the Configuration Files (XML).
When the script is run, one of many variations of the following warning may be presented to the user.
Depending on the Use Case/ Configuration File being used, unique policy elements must match the identify section entries.
In this example, the IP address /173\.16\.10\..* does not match any IP address provided in the Zero_Trust_Access_Gateway_Policies section. This must be addressed for the Zero Trust Policy Builder to run successfully.
To provide the necessary visibility of the Zero Trust Policy Builder to the user, extended logging is available. Verify that the following section is populated, and the proper permissions are enabled on the directory path.
- Log File Path – Location to store log files.
- MaxLogSizeKB – The maximum log file size in KiloBytes.
- MaxLogRollovers – Permit the number of log file rollovers.
Setting MaxLogSizeKB to 500 and MaxLogRollovers to 1 will allow for a maximum of ~1MB of disk usage for Kemp Zero Trust Access Gateway logs.
In environments where multiple administrators have access to the Zero Trust Policy Builder script, the script may be modified unintentionally. This can be verified by matching the expected hash with the hash that is generated in the logs.
- Obtain the expected hash – The expected hash can be found in the Zero Trust Access Gateway package that was downloaded from the Kemp website. Open the file with the name Script-Hash.xml with Notepad or other application that can read XML.
- Open the current log file in the specified path and find the line that reads Script-Hash. (There may be several lines depending on the number of times the script was run). The Script-Hash entry in the log must match the hash that is provided in the Script-Hash.xml file.
- If the hash does not match, download the latest version of the Kemp Zero Trust Access Gateway package.
To help identify any possible errors that may occur during the Zero Trust Policy Builder run, extended logging is available. The log files are located in the path that is specified in the Configuration File (XML).
- Open the log file and scroll to the bottom.
- Each Zero Trust Policy Builder run is separated, and each run starts with Starting Log File Execution.
- Examine the log file for any entry that does NOT equal
ReturnCode=200; Response=Command successfully executed
- If a line is found that does not match the response above, there is a description of the action that attempted to occur, which can be used to troubleshoot the issue.