ZTNA tags (formerly FortiClient EMS tags in FortiOS 6.4 and earlier) are tags synchronized from FortiClient EMS as dynamic address objects on the FortiGate. FortiClient EMS uses zero-trust tagging rules to automatically tag managed endpoints based on various attributes detected by the FortiClient. When the FortiGate establishes a connection with the FortiClient EMS server via the EMS Fabric connector, it pulls zero-trust tags containing device IP and MAC addresses and converts them to read-only dynamic address objects. It also establishes a persistent WebSocket connection to monitor for changes in zero-trust tags, which keeps the device information current. These ZTNA tags can then be used in ZTNA rules, firewall rules, and NAC policies to perform security posture checks. ZTNA tags are displayed in the Device Inventory widget, FortiClient widget, and Asset Identity Center page.
When using WebSocket, EMS pushes notifications to the corresponding FortiGate when there are updates to tags or other monitored attributes. The FortiGate then fetches the updated information using the REST API over TCP/8013. When WebSocket is not used (due to an override or unsupported EMS version), updates are triggered on demand from the FortiGate side over the REST API.
If the WebSocket capability is detected, the capabilities setting will automatically display the WebSocket option. You can use the
diagnose test application fcnacd 2 command to view the status of the WebSocket connection.
In the following example, the FortiGate connects to and retrieves ZTNA tags from a FortiClient EMS configured with tagging rules. It is assumed that zero-trust tags and rules are already created on the FortiClient EMS. For more information, see the Zero Trust Tags section of the EMS Administration Guide.
- Go to Zero Trust Tags > Zero Trust Tagging Rules to view the tags.
- Go to Zero Trust Tags > Zero Trust Tag Monitor to view the registered users who match the defined tag.
- Configure the EMS Fabric connector:
- On the root FortiGate, go to Security Fabric > Fabric Connectors.
- Click Create New and click FortiClient EMS.
- Enable Synchronize firewall addresses.
- Configure the other settings as needed and validate the certificate.
- Click OK.
- Enable ZTNA:
- Go to System > Feature Visibility and enable Zero Trust Network Access.
- Click Apply.
- Go to Policy & Objects > ZTNA and select the ZTNA Tags tab. You will see the ZTNA IP and ZTNA MAC tags synchronized from the FortiClient EMS.
- Configure the EMS Fabric connector on the root FortiGate:
config endpoint-control fctems edit "WIN10-EMS" set server "192.168.20.10" set https-port 443 set pull-sysinfo enable set pull-vulnerabilities enable set pull-avatars enable set pull-tags enable set pull-malware-hash enable set capabilities fabric-auth silent-approval websocket next end
- Verify which IPs the dynamic firewall address resolves to:
# diagnose firewall dynamic list List all dynamic addresses: FCTEMS0000100000_all_registered_clients: ID(51) ADDR(172.17.194.209) ADDR(10.10.10.20) … FCTEMS0000100000_Low: ID(78) ADDR(172.17.194.209) ADDR(10.10.10.20) … FCTEMS0000100000_Malicious-File-Detected: ID(190) ADDR(172.17.194.209) ADDR(10.10.10.20) …