Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.1 Administration Guide
    7.6.1
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Types of security posture tags

    Types of security posture tags

    Security posture tags are tags retrieved from FortiClient EMS once a FortiGate is connected to an EMS through the security fabric connector. FortiGate can retrieve different categories of tags from EMS:

    Category

    Description

    Security posture tags (Zero trust tags in earlier EMS versions)

    Generated from tagging rules configured on FortiClient EMS. Tags are based on various posture checks that can be applied to the endpoints. Tags are synchronized from EMS to FortiGate by default.

    Classification tags

    Custom tags manually assigned by the EMS administrator to endpoints.

    FortiGuard outbreak alert tags

    Outbreak alerts inform EMS about vulnerabilities on an application or endpoint that is part of a recent outbreak.

    See FortiGuard Outbreak Alerts.

    Fabric tags

    Fabric tags are retrieved from FortiAnalyzer to EMS when endpoint logs trigger indicators of compromise (IOC) on a specific endpoint.

    For more information about each type of tag on FortiClient EMS, see Fabric Devices.

    By default, only security posture tags/zero trust tags are synchronized from EMS to FortiGate. On EMS, you can enable other tags to be synchronized.

    To synchronize classification tags from EMS:

    1. From FortiClient EMS, go to Endpoints > All Endpoints.

    2. Select an endpoint to view its summary.

    3. Under Classification Tags, click Add to add a new custom tag.

    4. From Fabric & Connectors > Fabric Devices, find the FortiGate that requires the use of these tags.

    5. Click Edit to update its synchronization settings.

    6. Under Tag Types Being Shared, select all types that apply. In this example, Classification Tags is selected in addition to the default Zero Trust Tags.

    7. Click Update to save.

    8. On the FortiGate, go to Policy & Objects > ZTNA. Switch to the Security Posture Tags tab.

      Aside from the Security Posture type tags generated from tagging rules, Classification type tags are also retrieved.

    Using any versus all tags inside a ZTNA policy

    When configuring the ZTNA policy to control access, the Security posture tags option can be set to Any or All:

    • When set to Any, an endpoint must satisfy only one of the defined security posture tags to pass this check.

    • When set to All, an endpoint must satisfy all of the defined security posture tags to pass this check.

    Example 1: Using the Any tag

    1. A simple ZTNA policy is configured where the Security posture tag is set to Any, with the tags FortiAD and Low-Risk.

    2. An endpoint with only the FortiAD tag connects.

    3. The endpoint can connect to the server.

    4. From the CLI, ZTNA logs indicate that the traffic was allowed.

      # execute log filter field subtype ztna
# execute log display 
…
2: date=2025-01-07 time=10:57:00 eventtime=1736276220378088305 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=17322 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.0.3.10 dstport=9043 dstintf="root" dstintfrole="undefined" sessionid=8876 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9043" proxyapptype="http" proto=6 action="accept" policyid=17 policytype="policy" poluuid="8065fc36-cd28-51ef-cd5a-84f5ae253c13" policyname="ZTNA-webserver-allow" appcat="unscanned" duration=0 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=1764 sentbyte=1764 lanout=3049

    Example 2: Using the All tag

    1. A simple ZTNA policy is configured where the Security posture tag is set to All, with the tags FortiAD and Low-Risk.

    2. An endpoint with only the FortiAD tag connects.

    3. It is unable to connect to the server, and a denied message appears.

    4. From the CLI, ZTNA logs indicate that the implicit policy denied traffic. Security posture tags are logged under clientdevicetags, and it indicates the tags registered to the endpoint. Low-Risk is not associated with this endpoint.

      # execute log filter field subtype ztna
# execute log display 
5 logs found.
5 logs returned.

1: date=2025-01-07 time=10:57:02 eventtime=1736276222045366174 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=17325 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.0.3.10 dstport=9043 dstintf="root" dstintfrole="undefined" sessionid=8877 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="4d6d23e0-cd28-51ef-164e-8f29b4c8bf51" service="tcp/9043" proxyapptype="http" proto=6 action="deny" policyid=0 policytype="policy" appcat="unscanned" duration=0 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicemanageable="manageable" clientdeviceems="FCTEMS8824006771" clientdevicetags="all_registered_clients/CLASS_Office-PC/FortiAD/CLASS_Low/CLASS_Windows-Endpoint" clientcert="yes" emsconnection="online" msg="Traffic denied because failed to match a policy or proxy-policy" wanin=0 rcvdbyte=0 wanout=0 lanin=3688 sentbyte=3688 lanout=3446 fctuid="9A016B5A6E914B42AD4168C066EB04CA" crscore=30 craction=131072 crlevel="high"
    Previous
    Next

    Types of security posture tags

    Types of security posture tags

    Security posture tags are tags retrieved from FortiClient EMS once a FortiGate is connected to an EMS through the security fabric connector. FortiGate can retrieve different categories of tags from EMS:

    Category

    Description

    Security posture tags (Zero trust tags in earlier EMS versions)

    Generated from tagging rules configured on FortiClient EMS. Tags are based on various posture checks that can be applied to the endpoints. Tags are synchronized from EMS to FortiGate by default.

    Classification tags

    Custom tags manually assigned by the EMS administrator to endpoints.

    FortiGuard outbreak alert tags

    Outbreak alerts inform EMS about vulnerabilities on an application or endpoint that is part of a recent outbreak.

    See FortiGuard Outbreak Alerts.

    Fabric tags

    Fabric tags are retrieved from FortiAnalyzer to EMS when endpoint logs trigger indicators of compromise (IOC) on a specific endpoint.

    For more information about each type of tag on FortiClient EMS, see Fabric Devices.

    By default, only security posture tags/zero trust tags are synchronized from EMS to FortiGate. On EMS, you can enable other tags to be synchronized.

    To synchronize classification tags from EMS:

    1. From FortiClient EMS, go to Endpoints > All Endpoints.

    2. Select an endpoint to view its summary.

    3. Under Classification Tags, click Add to add a new custom tag.

    4. From Fabric & Connectors > Fabric Devices, find the FortiGate that requires the use of these tags.

    5. Click Edit to update its synchronization settings.

    6. Under Tag Types Being Shared, select all types that apply. In this example, Classification Tags is selected in addition to the default Zero Trust Tags.

    7. Click Update to save.

    8. On the FortiGate, go to Policy & Objects > ZTNA. Switch to the Security Posture Tags tab.

      Aside from the Security Posture type tags generated from tagging rules, Classification type tags are also retrieved.

    Using any versus all tags inside a ZTNA policy

    When configuring the ZTNA policy to control access, the Security posture tags option can be set to Any or All:

    • When set to Any, an endpoint must satisfy only one of the defined security posture tags to pass this check.

    • When set to All, an endpoint must satisfy all of the defined security posture tags to pass this check.

    Example 1: Using the Any tag

    1. A simple ZTNA policy is configured where the Security posture tag is set to Any, with the tags FortiAD and Low-Risk.

    2. An endpoint with only the FortiAD tag connects.

    3. The endpoint can connect to the server.

    4. From the CLI, ZTNA logs indicate that the traffic was allowed.

      # execute log filter field subtype ztna
# execute log display 
…
2: date=2025-01-07 time=10:57:00 eventtime=1736276220378088305 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=17322 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.0.3.10 dstport=9043 dstintf="root" dstintfrole="undefined" sessionid=8876 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9043" proxyapptype="http" proto=6 action="accept" policyid=17 policytype="policy" poluuid="8065fc36-cd28-51ef-cd5a-84f5ae253c13" policyname="ZTNA-webserver-allow" appcat="unscanned" duration=0 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0 wanout=0 lanin=1764 sentbyte=1764 lanout=3049

    Example 2: Using the All tag

    1. A simple ZTNA policy is configured where the Security posture tag is set to All, with the tags FortiAD and Low-Risk.

    2. An endpoint with only the FortiAD tag connects.

    3. It is unable to connect to the server, and a denied message appears.

    4. From the CLI, ZTNA logs indicate that the implicit policy denied traffic. Security posture tags are logged under clientdevicetags, and it indicates the tags registered to the endpoint. Low-Risk is not associated with this endpoint.

      # execute log filter field subtype ztna
# execute log display 
5 logs found.
5 logs returned.

1: date=2025-01-07 time=10:57:02 eventtime=1736276222045366174 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=17325 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.0.3.10 dstport=9043 dstintf="root" dstintfrole="undefined" sessionid=8877 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="4d6d23e0-cd28-51ef-164e-8f29b4c8bf51" service="tcp/9043" proxyapptype="http" proto=6 action="deny" policyid=0 policytype="policy" appcat="unscanned" duration=0 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicemanageable="manageable" clientdeviceems="FCTEMS8824006771" clientdevicetags="all_registered_clients/CLASS_Office-PC/FortiAD/CLASS_Low/CLASS_Windows-Endpoint" clientcert="yes" emsconnection="online" msg="Traffic denied because failed to match a policy or proxy-policy" wanin=0 rcvdbyte=0 wanout=0 lanin=3688 sentbyte=3688 lanout=3446 fctuid="9A016B5A6E914B42AD4168C066EB04CA" crscore=30 craction=131072 crlevel="high"
    Previous
    Next