Fortinet black logo

New Features

Logical AND for ZTNA tag matching 7.0.2

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:557457
Download PDF

Logical AND for ZTNA tag matching 7.0.2

When specifying ZTNA tags in a rule, logical AND can be used for tag matching.

When editing a ZTNA rule:

  • If Match ZTNA Tags is set to All the client must match all of the tags (logical AND).

  • If Match ZTNA Tags is set to Any the client can match any of the tags (logical OR).

In these examples, there are two PCs with FortiClient: PC120 at 10.1.100.120 and PC117 at 10.1.100.117. There are two ZTNA EMS tags: ems138_av_tag and ems138_running_app_tag. PC120 has both of them, and PC117 only has one.

It is assumed that ZTNA has already been configured. For information, see Zero Trust Network Access in the FortiOS Administration Guide.

Logical AND example

To configure a ZTNA rule that requires both ZTNA EMS tags in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.

  2. Configure the rule, adding both ZTNA EMS tags to ZTNA Tag, and setting Match ZTNA Tags to All.

  3. Click OK.

To configure a ZTNA rule that requires both ZTNA EMS tags in the CLI:
config firewall proxy-policy
    edit 1
        set name "r1"
        set proxy access-proxy
        set access-proxy "ZTNA_S1"
        set srcintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "FCTEMS8821001056_ems138_av_tag" "FCTEMS8821001056_ems138_running_app_tag"
        set ztna-tags-match-logic and
        set action accept
        set schedule "always"
    next
end
To check the results:
  • PC117 only has one tag, so ZTNA traffic is blocked:

     # diagnose test application fcnacd 7
    
    ZTNA Cache V2:
    
    Entry #2:
    
     - UID: 083078C718674C72B7C8CA0C09EB99C7
     - Domain:
     - User: frank_117
     - Owner:
     - Certificate SN: 03CBD682154035C5E5FEA27F83DFC8F7398CDC60
     - EMS SN: FCTEMS8821001056
     - online: true
     - Routes (2):
      -- Route #0: IP=10.1.100.117, vfid=0
     - Tags (4):
      -- Tag (#0): Low
      -- Tag (#1): all_registered_clients
      -- Tag (#2): ems138_av_tag
      -- Tag (#3): ems138_management_tag
    lls_idx_mask = 0x00000001,

    The WAD debug shows:

    [V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev_grp       :4651  dev tag matching, info=0x7efff2ea7430, tag_cnt=8, on_line=1,conf ems-tag size=2
    [V][p:296][s:413990][r:117440514] wad_dev_addr_match                :275   conf tag name:FCTEMS8821001056_ems138_av_tag(30) matched, id=12! <----HERE
    [V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev_grp       :4687  pol_id = 1 unmatched dev id = 12
    [V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev           :4705  pol_id = 1 matched = 0
    [V][p:296][s:413990][r:117440514] wad_fw_addr_match_ap              :1035  matching ap:ZTNA_S2(7) with vip addr:ZTNA_S1(7)
    [I][p:296][s:413990][r:117440514] wad_http_req_policy_set           :8009  match pid=296 policy-id=0 vd=0 in_if=4, out_if=13 10.1.100.117:49341 -> 172.18.62.27:443
    [V][p:296][s:413990][r:117440514] wad_https_ap_pol_info_get         :7946  policy info created, req=0x7efff02b6048, ses_ctx=0x7efff2f2e3a8, info=0x7efff32a8288
    [I][p:296][s:413990][r:117440514] wad_http_req_proc_policy          :7735  web_cache(http/https=0/0, fwd_srv=<nil>.
    [E][p:296][s:413990][r:117440514] wad_http_req_proc_policy          :7755  POLICY DENIED
  • PC120 has both tags, so ZTNA traffic is passed:

     # diagnose test application fcnacd 7
    
    ZTNA Cache V2:
    Entry #1:
    
     - UID: 5721ED0374564878BFA1725C5555CEBA
     - Domain: fortios.local131
     - User: tester1
     - Owner:
     - Certificate SN: 48EC63DCF1234D41AEE2B4301017F74893FC291A
     - EMS SN: FCTEMS8821001056
     - online: true
     - Routes (2):
      -- Route #0: IP=10.1.100.120, vfid=0
      
     - Tags (6):
      -- Tag (#0): ems138_running_app_tag
      -- Tag (#1): all_registered_clients
      -- Tag (#2): ems138_av_tag
      -- Tag (#3): ems138_vulnerability_tag 
      -- Tag (#4): ems138_management_tag
      -- Tag (#5): Low
    lls_idx_mask = 0x00000001,

    The WAD debug shows:

    [V][p:293][s:413402][r:67108866] wad_fw_policy_match_dev_grp       :4651  dev tag matching, info=0x7f918e62e608, tag_cnt=12, on_line=1,conf ems-tag size=2
    [V][p:293][s:413402][r:67108866] wad_dev_addr_match                :275   conf tag name:FCTEMS8821001056_ems138_av_tag(30) matched, id=12!
    [V][p:293][s:413402][r:67108866] wad_dev_addr_match                :275   conf tag name:FCTEMS8821001056_ems138_running_app_tag(39) matched, id=13!
    [V][p:293][s:413402][r:67108866] wad_fw_policy_match_dev           :4705  pol_id = 1 matched = 1
    [I][p:293][s:413402][r:67108866] wad_http_req_policy_set           :8009  match pid=293 policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.120:57150 -> 172.18.62.27:443

Logical OR example

To configure a ZTNA rule that requires one of the ZTNA EMS tags in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.

  2. Configure the rule, adding both ZTNA EMS tags to ZTNA Tag, and setting Match ZTNA Tags to Any.

  3. Click OK.

To configure a ZTNA rule that requires one of the ZTNA EMS tags in the CLI:
config firewall proxy-policy
    edit 1
        set name "r1"
        set proxy access-proxy
        set access-proxy "ZTNA_S1"
        set srcintf "wan2"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "FCTEMS8821001056_ems138_av_tag" "FCTEMS8821001056_ems138_running_app_tag"
        set ztna-tags-match-logic or
        set action accept
        set schedule "always"
    next
end
To check the results:

Traffic on both PC120 and PC117 is passed succesfully.

The WAD debugs show:

[[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev_grp       :4651  dev tag matching, info=0x7f863d7e3430, tag_cnt=8, on_line=1,conf ems-tag size=2
[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev_grp       :4666  pol_id = 1 matched dev id = 18
[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev           :4705  pol_id = 1 matched = 1
[I][p:294][s:650635][r:83886096] wad_http_req_policy_set           :8009  match pid=294 policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.117:55597 -> 172.18.62.27:443
[V][p:294][s:650635][r:83886096] wad_https_ap_pol_info_get         :7946  policy info created, req=0x7f863d90a048, ses_ctx=0x7f863fc79ad8, info=0x7f863d7f7bb0
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev_grp       :4651  dev tag matching, info=0x7f1ad65a1228, tag_cnt=12, on_line=1,conf ems-tag size=2
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev_grp       :4666  pol_id = 1 matched dev id = 18
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev           :4705  pol_id = 1 matched = 1
[I][p:290][s:650172][r:16777220] wad_http_req_policy_set           :8009  match pid=290 policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.120:50865 -> 172.18.62.27:443
[V][p:290][s:650172][r:16777220] wad_https_ap_pol_info_get         :7946  policy info created, req=0x7f1ad3ef1048, ses_ctx=0x7f1ad652ead8, info=0x7f1ad3e76048

Logical AND for ZTNA tag matching 7.0.2

When specifying ZTNA tags in a rule, logical AND can be used for tag matching.

When editing a ZTNA rule:

  • If Match ZTNA Tags is set to All the client must match all of the tags (logical AND).

  • If Match ZTNA Tags is set to Any the client can match any of the tags (logical OR).

In these examples, there are two PCs with FortiClient: PC120 at 10.1.100.120 and PC117 at 10.1.100.117. There are two ZTNA EMS tags: ems138_av_tag and ems138_running_app_tag. PC120 has both of them, and PC117 only has one.

It is assumed that ZTNA has already been configured. For information, see Zero Trust Network Access in the FortiOS Administration Guide.

Logical AND example

To configure a ZTNA rule that requires both ZTNA EMS tags in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.

  2. Configure the rule, adding both ZTNA EMS tags to ZTNA Tag, and setting Match ZTNA Tags to All.

  3. Click OK.

To configure a ZTNA rule that requires both ZTNA EMS tags in the CLI:
config firewall proxy-policy
    edit 1
        set name "r1"
        set proxy access-proxy
        set access-proxy "ZTNA_S1"
        set srcintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "FCTEMS8821001056_ems138_av_tag" "FCTEMS8821001056_ems138_running_app_tag"
        set ztna-tags-match-logic and
        set action accept
        set schedule "always"
    next
end
To check the results:
  • PC117 only has one tag, so ZTNA traffic is blocked:

     # diagnose test application fcnacd 7
    
    ZTNA Cache V2:
    
    Entry #2:
    
     - UID: 083078C718674C72B7C8CA0C09EB99C7
     - Domain:
     - User: frank_117
     - Owner:
     - Certificate SN: 03CBD682154035C5E5FEA27F83DFC8F7398CDC60
     - EMS SN: FCTEMS8821001056
     - online: true
     - Routes (2):
      -- Route #0: IP=10.1.100.117, vfid=0
     - Tags (4):
      -- Tag (#0): Low
      -- Tag (#1): all_registered_clients
      -- Tag (#2): ems138_av_tag
      -- Tag (#3): ems138_management_tag
    lls_idx_mask = 0x00000001,

    The WAD debug shows:

    [V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev_grp       :4651  dev tag matching, info=0x7efff2ea7430, tag_cnt=8, on_line=1,conf ems-tag size=2
    [V][p:296][s:413990][r:117440514] wad_dev_addr_match                :275   conf tag name:FCTEMS8821001056_ems138_av_tag(30) matched, id=12! <----HERE
    [V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev_grp       :4687  pol_id = 1 unmatched dev id = 12
    [V][p:296][s:413990][r:117440514] wad_fw_policy_match_dev           :4705  pol_id = 1 matched = 0
    [V][p:296][s:413990][r:117440514] wad_fw_addr_match_ap              :1035  matching ap:ZTNA_S2(7) with vip addr:ZTNA_S1(7)
    [I][p:296][s:413990][r:117440514] wad_http_req_policy_set           :8009  match pid=296 policy-id=0 vd=0 in_if=4, out_if=13 10.1.100.117:49341 -> 172.18.62.27:443
    [V][p:296][s:413990][r:117440514] wad_https_ap_pol_info_get         :7946  policy info created, req=0x7efff02b6048, ses_ctx=0x7efff2f2e3a8, info=0x7efff32a8288
    [I][p:296][s:413990][r:117440514] wad_http_req_proc_policy          :7735  web_cache(http/https=0/0, fwd_srv=<nil>.
    [E][p:296][s:413990][r:117440514] wad_http_req_proc_policy          :7755  POLICY DENIED
  • PC120 has both tags, so ZTNA traffic is passed:

     # diagnose test application fcnacd 7
    
    ZTNA Cache V2:
    Entry #1:
    
     - UID: 5721ED0374564878BFA1725C5555CEBA
     - Domain: fortios.local131
     - User: tester1
     - Owner:
     - Certificate SN: 48EC63DCF1234D41AEE2B4301017F74893FC291A
     - EMS SN: FCTEMS8821001056
     - online: true
     - Routes (2):
      -- Route #0: IP=10.1.100.120, vfid=0
      
     - Tags (6):
      -- Tag (#0): ems138_running_app_tag
      -- Tag (#1): all_registered_clients
      -- Tag (#2): ems138_av_tag
      -- Tag (#3): ems138_vulnerability_tag 
      -- Tag (#4): ems138_management_tag
      -- Tag (#5): Low
    lls_idx_mask = 0x00000001,

    The WAD debug shows:

    [V][p:293][s:413402][r:67108866] wad_fw_policy_match_dev_grp       :4651  dev tag matching, info=0x7f918e62e608, tag_cnt=12, on_line=1,conf ems-tag size=2
    [V][p:293][s:413402][r:67108866] wad_dev_addr_match                :275   conf tag name:FCTEMS8821001056_ems138_av_tag(30) matched, id=12!
    [V][p:293][s:413402][r:67108866] wad_dev_addr_match                :275   conf tag name:FCTEMS8821001056_ems138_running_app_tag(39) matched, id=13!
    [V][p:293][s:413402][r:67108866] wad_fw_policy_match_dev           :4705  pol_id = 1 matched = 1
    [I][p:293][s:413402][r:67108866] wad_http_req_policy_set           :8009  match pid=293 policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.120:57150 -> 172.18.62.27:443

Logical OR example

To configure a ZTNA rule that requires one of the ZTNA EMS tags in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.

  2. Configure the rule, adding both ZTNA EMS tags to ZTNA Tag, and setting Match ZTNA Tags to Any.

  3. Click OK.

To configure a ZTNA rule that requires one of the ZTNA EMS tags in the CLI:
config firewall proxy-policy
    edit 1
        set name "r1"
        set proxy access-proxy
        set access-proxy "ZTNA_S1"
        set srcintf "wan2"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "FCTEMS8821001056_ems138_av_tag" "FCTEMS8821001056_ems138_running_app_tag"
        set ztna-tags-match-logic or
        set action accept
        set schedule "always"
    next
end
To check the results:

Traffic on both PC120 and PC117 is passed succesfully.

The WAD debugs show:

[[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev_grp       :4651  dev tag matching, info=0x7f863d7e3430, tag_cnt=8, on_line=1,conf ems-tag size=2
[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev_grp       :4666  pol_id = 1 matched dev id = 18
[V][p:294][s:650635][r:83886096] wad_fw_policy_match_dev           :4705  pol_id = 1 matched = 1
[I][p:294][s:650635][r:83886096] wad_http_req_policy_set           :8009  match pid=294 policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.117:55597 -> 172.18.62.27:443
[V][p:294][s:650635][r:83886096] wad_https_ap_pol_info_get         :7946  policy info created, req=0x7f863d90a048, ses_ctx=0x7f863fc79ad8, info=0x7f863d7f7bb0
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev_grp       :4651  dev tag matching, info=0x7f1ad65a1228, tag_cnt=12, on_line=1,conf ems-tag size=2
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev_grp       :4666  pol_id = 1 matched dev id = 18
[V][p:290][s:650172][r:16777220] wad_fw_policy_match_dev           :4705  pol_id = 1 matched = 1
[I][p:290][s:650172][r:16777220] wad_http_req_policy_set           :8009  match pid=290 policy-id=1 vd=0 in_if=4, out_if=13 10.1.100.120:50865 -> 172.18.62.27:443
[V][p:290][s:650172][r:16777220] wad_https_ap_pol_info_get         :7946  policy info created, req=0x7f1ad3ef1048, ses_ctx=0x7f1ad652ead8, info=0x7f1ad3e76048