Logical AND for ZTNA tag matching 7.0.2
When specifying ZTNA tags in a rule, logical AND can be used for tag matching.
When editing a ZTNA rule:
-
If Match ZTNA Tags is set to All the client must match all of the tags (logical AND).
-
If Match ZTNA Tags is set to Any the client can match any of the tags (logical OR).
In these examples, there are two PCs with FortiClient: PC120 at 10.1.100.120 and PC117 at 10.1.100.117. There are two ZTNA EMS tags: ems138_av_tag and ems138_running_app_tag. PC120 has both of them, and PC117 only has one.
It is assumed that ZTNA has already been configured. For information, see Zero Trust Network Access in the FortiOS Administration Guide.
Logical AND example
To configure a ZTNA rule that requires both ZTNA EMS tags in the GUI:
-
Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.
-
Configure the rule, adding both ZTNA EMS tags to ZTNA Tag, and setting Match ZTNA Tags to All.
-
Click OK.
To configure a ZTNA rule that requires both ZTNA EMS tags in the CLI:
config firewall proxy-policy edit 1 set name "r1" set proxy access-proxy set access-proxy "ZTNA_S1" set srcintf "port2" set srcaddr "all" set dstaddr "all" set ztna-ems-tag "FCTEMS8821001056_ems138_av_tag" "FCTEMS8821001056_ems138_running_app_tag" set ztna-tags-match-logic and set action accept set schedule "always" next end
To check the results:
-
PC117 only has one tag, so ZTNA traffic is blocked:
# diagnose test application fcnacd 7 ZTNA Cache V2: Entry #2: - UID: 083078C718674C72B7C8CA0C09EB99C7 - Domain: - User: frank_117 - Owner: - Certificate SN: 03CBD682154035C5E5FEA27F83DFC8F7398CDC60 - EMS SN: FCTEMS8821001056 - online: true - Routes (2): -- Route #0: IP=10.1.100.117, vfid=0 - Tags (4): -- Tag (#0): Low -- Tag (#1): all_registered_clients -- Tag (#2): ems138_av_tag -- Tag (#3): ems138_management_tag lls_idx_mask = 0x00000001,
The WAD debug shows:
[V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev_grp :4651 dev tag matching, info=0x7efff2ea7430, tag_cnt=8, on_line=1,conf ems-tag size=2 [V][p:296][s:413990][r:117440514] wad_dev_addr_match :275 conf tag name:FCTEMS8821001056_ems138_av_tag(30) matched, id=12! <----HERE [V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev_grp :4687 pol_id = 1 unmatched dev id = 12 [V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev :4705 pol_id = 1 matched = 0 [V][p:296][s:413990][r:117440514] wad_fw_addr_match_ap :1035 matching ap:ZTNA_S2(7) with vip addr:ZTNA_S1(7) [I][p:296][s:413990][r:117440514] wad_http_req_policy_set :8009 match pid=296 policy-id=0 vd=0 in_if=4, out_if=13 10.1.100.117:49341 -> 172.18.62.27:443 [V][p:296][s:413990][r:117440514] wad_https_ap_pol_info_get :7946 policy info created, req=0x7efff02b6048, ses_ctx=0x7efff2f2e3a8, info=0x7efff32a8288 [I][p:296][s:413990][r:117440514] wad_http_req_proc_policy :7735 web_cache(http/https=0/0, fwd_srv=<nil>. [E][p:296][s:413990][r:117440514] wad_http_req_proc_policy :7755 POLICY DENIED
-
PC120 has both tags, so ZTNA traffic is passed:
# diagnose test application fcnacd 7 ZTNA Cache V2: Entry #1: - UID: 5721ED0374564878BFA1725C5555CEBA - Domain: fortios.local131 - User: tester1 - Owner: - Certificate SN: 48EC63DCF1234D41AEE2B4301017F74893FC291A - EMS SN: FCTEMS8821001056 - online: true - Routes (2): -- Route #0: IP=10.1.100.120, vfid=0 - Tags (6): -- Tag (#0): ems138_running_app_tag -- Tag (#1): all_registered_clients -- Tag (#2): ems138_av_tag -- Tag (#3): ems138_vulnerability_tag -- Tag (#4): ems138_management_tag -- Tag (#5): Low lls_idx_mask = 0x00000001,
The WAD debug shows:
[V][p:293][s:413402][r:67108866] wad_fw_policy_match_dev_grp :4651 dev tag matching, info=0x7f918e62e608, tag_cnt=12, on_line=1,conf ems-tag size=2 [V][p:293][s:413402][r:67108866] wad_dev_addr_match :275 conf tag name:FCTEMS8821001056_ems138_av_tag(30) matched, id=12! [V][p:293][s:413402][r:67108866] wad_dev_addr_match :275 conf tag name:FCTEMS8821001056_ems138_running_app_tag(39) matched, id=13! [V][p:293][s:413402][r:67108866] wad_fw_policy_match_dev :4705 pol_id = 1 matched = 1 [I][p:293][s:413402][r:67108866] wad_http_req_policy_set :8009 match pid=293 policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.120:57150 -> 172.18.62.27:443
Logical OR example
To configure a ZTNA rule that requires one of the ZTNA EMS tags in the GUI:
-
Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.
-
Configure the rule, adding both ZTNA EMS tags to ZTNA Tag, and setting Match ZTNA Tags to Any.
-
Click OK.
To configure a ZTNA rule that requires one of the ZTNA EMS tags in the CLI:
config firewall proxy-policy edit 1 set name "r1" set proxy access-proxy set access-proxy "ZTNA_S1" set srcintf "wan2" set srcaddr "all" set dstaddr "all" set ztna-ems-tag "FCTEMS8821001056_ems138_av_tag" "FCTEMS8821001056_ems138_running_app_tag" set ztna-tags-match-logic or set action accept set schedule "always" next end
To check the results:
Traffic on both PC120 and PC117 is passed succesfully.
The WAD debugs show:
[[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev_grp :4651 dev tag matching, info=0x7f863d7e3430, tag_cnt=8, on_line=1,conf ems-tag size=2 [V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev_grp :4666 pol_id = 1 matched dev id = 18 [V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev :4705 pol_id = 1 matched = 1 [I][p:294][s:650635][r:83886096] wad_http_req_policy_set :8009 match pid=294 policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.117:55597 -> 172.18.62.27:443 [V][p:294][s:650635][r:83886096] wad_https_ap_pol_info_get :7946 policy info created, req=0x7f863d90a048, ses_ctx=0x7f863fc79ad8, info=0x7f863d7f7bb0
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev_grp :4651 dev tag matching, info=0x7f1ad65a1228, tag_cnt=12, on_line=1,conf ems-tag size=2 [V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev_grp :4666 pol_id = 1 matched dev id = 18 [V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev :4705 pol_id = 1 matched = 1 [I][p:290][s:650172][r:16777220] wad_http_req_policy_set :8009 match pid=290 policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.120:50865 -> 172.18.62.27:443 [V][p:290][s:650172][r:16777220] wad_https_ap_pol_info_get :7946 policy info created, req=0x7f1ad3ef1048, ses_ctx=0x7f1ad652ead8, info=0x7f1ad3e76048