ZTNA IP MAC filtering example

In this example, firewall policies in ZTNA IP/MAC filtering mode are configured that use ZTNA tags to control access between on-net devices and an internal web server. This mode does not require the use of the access proxy, and only uses ZTNA tags for access control. Traffic is passed when the FortiClient endpoint is tagged as Low risk only. Traffic is denied when the FortiClient endpoint is tagged with Malicious-File-Detected.

This example assumes that the FortiGate EMS fabric connector is already successfully connected.


To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust Network Access.

To configure a Zero Trust tagging rule on the FortiClient EMS:
  1. Log in to the FortiClient EMS.

  2. Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add.

  3. In the Name field, enter Malicious-File-Detected.

  4. In the Tag Endpoint As dropdown list, select Malicious-File-Detected.

    EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.

  5. Click Add Rule then configure the rule:

    1. For OS, select Windows.

    2. From the Rule Type dropdown list, select File and click the + button.

    3. Enter a file name, such as C:\virus.txt.

    4. Click Save.