Fortinet black logo

ZTNA Deployment

7.2.5
7.2.5

Configuring EMS ZTNA tagging rules

Configuring EMS ZTNA tagging rules

ZTNA tagging rules define the security posture checks that should be performed on the FortiClient endpoints. They may reveal the current AD group status, whether the endpoint has AntiVirus software installed, whether it’s logged on to a domain, various information about the device such as OS version, running processes or registry key value. They may also reveal the device’s vulnerability level, the presence of a vulnerability by CVE, and other threat related posture on the device. These tags are valuable input to the FortiGate ZTNA application gateway as it passes them through the trust algorithm in order to make a policy decision and perform enforcement.

There are many tagging rules to choose from and this will be very customized for each organization. For general steps on how to define tagging rules, see Zero Trust Tagging Rules.

The following example demonstrates how to configure a rule for detecting the presence of a Critical vulnerability on an endpoint.

To configure a rule for detecting the presence of a Critical Vulnerability:

  1. Go to Zero Trust Tags > Zero Trust Tagging Rules.

  2. Click Add.

  3. Enter the name Critical-Vulnerability.

  4. For Tag Endpoint As, click the drop-down menu and enter Critical-Vulnerability.

  5. Press Enter.

  6. Under Rules, click Add Rule.

  7. In the Add New Rule dialog, configure the following:

    1. Set OS as Windows OS.

    2. Set Rule Type as Vulnerable Devices.

    3. Set Severity Level as Critical.

    4. Click Save.

  8. Click Save again.

To create another ZTNA tag for Domain Users:

  1. Go to Zero Trust Tags > Zero Trust Tagging Rules.

  2. Click Add.

  3. Enter the name Domain-Users.

  4. For Tag Endpoint As, click the drop-down menu and enter Domain-Users.

  5. Press Enter.

  6. Under Rules, click Add Rule.

  7. In the Add New Rule dialog, configure the following:

    1. Set OS as Windows OS.

    2. Set Rule Type as User in AD Group.

    3. Disable Evaluate on FortiClient.

    4. Set AD Group as Users/Domain Users.

    5. Click Save.

  8. Click Save again.

Additionally, it is useful to display the ZTNA tags in the FortiClient endpoint.

To configure the ZTNA tag to display on the FortiClient:

  1. Go to Endpoint Profiles > System Settings.

  2. Edit the Default profile under System Settings.

  3. Ensure that Advanced settings is selected (top right of window).

  4. Under UI, enable Show Zero Trust Tag on FortiClient GUI.

  5. Click Save to save changes.

Previous
Next

Configuring EMS ZTNA tagging rules

ZTNA tagging rules define the security posture checks that should be performed on the FortiClient endpoints. They may reveal the current AD group status, whether the endpoint has AntiVirus software installed, whether it’s logged on to a domain, various information about the device such as OS version, running processes or registry key value. They may also reveal the device’s vulnerability level, the presence of a vulnerability by CVE, and other threat related posture on the device. These tags are valuable input to the FortiGate ZTNA application gateway as it passes them through the trust algorithm in order to make a policy decision and perform enforcement.

There are many tagging rules to choose from and this will be very customized for each organization. For general steps on how to define tagging rules, see Zero Trust Tagging Rules.

The following example demonstrates how to configure a rule for detecting the presence of a Critical vulnerability on an endpoint.

To configure a rule for detecting the presence of a Critical Vulnerability:

  1. Go to Zero Trust Tags > Zero Trust Tagging Rules.

  2. Click Add.

  3. Enter the name Critical-Vulnerability.

  4. For Tag Endpoint As, click the drop-down menu and enter Critical-Vulnerability.

  5. Press Enter.

  6. Under Rules, click Add Rule.

  7. In the Add New Rule dialog, configure the following:

    1. Set OS as Windows OS.

    2. Set Rule Type as Vulnerable Devices.

    3. Set Severity Level as Critical.

    4. Click Save.

  8. Click Save again.

To create another ZTNA tag for Domain Users:

  1. Go to Zero Trust Tags > Zero Trust Tagging Rules.

  2. Click Add.

  3. Enter the name Domain-Users.

  4. For Tag Endpoint As, click the drop-down menu and enter Domain-Users.

  5. Press Enter.

  6. Under Rules, click Add Rule.

  7. In the Add New Rule dialog, configure the following:

    1. Set OS as Windows OS.

    2. Set Rule Type as User in AD Group.

    3. Disable Evaluate on FortiClient.

    4. Set AD Group as Users/Domain Users.

    5. Click Save.

  8. Click Save again.

Additionally, it is useful to display the ZTNA tags in the FortiClient endpoint.

To configure the ZTNA tag to display on the FortiClient:

  1. Go to Endpoint Profiles > System Settings.

  2. Edit the Default profile under System Settings.

  3. Ensure that Advanced settings is selected (top right of window).

  4. Under UI, enable Show Zero Trust Tag on FortiClient GUI.

  5. Click Save to save changes.

Previous
Next