Tags

You can create, edit, and delete security posture tags for endpoints. You can also view and manage the rules used to dynamically tag endpoints.

The following occurs when using security posture tags with EMS and FortiClient:

1. EMS sends security posture tags and rules to endpoints via Telemetry communication.
2. FortiClient checks endpoints using the provided rules and sends the results to EMS. When endpoint network changes or user logon and logoff events occur, FortiClient triggers an X-FFCK-TAG message to EMS, even if there are no tag changes. Once EMS receives the tags, it processes them immediately, and FortiOS tags are updated within five seconds from the REST API response. For other tag changes, FortiClient sends the information to EMS regularly as per the configured keepalive intervals. See Configuring EMS settings.
3. EMS receives the results from FortiClient.
4. EMS dynamically groups endpoints together using the tag configured for each rule. You can view the dynamic endpoint groups in Security Posture Tags > Tag Monitor. See Tag Monitor.