Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Tagging

Copy Link
Copy Doc ID 4ed231bf-e303-11ee-8c42-fa163e15d75b:901628
Download PDF

Tagging

You can create zero trust network access tagging rules for Windows, macOS, Linux, iOS, and Android endpoints based on their OS versions, logged in domains, running processes, and other criteria. FortiSASE uses the rules to dynamically tag endpoints.

The following occurs when using tagging rules with FortiSASE and FortiClient:

  1. FortiSASE sends tagging rules to endpoints.
  2. FortiClient checks endpoints using the provided rules and sends the results to FortiSASE.
  3. FortiSASE receives the results from FortiClient.
  4. FortiSASE dynamically tags endpoints using the tag configured for each rule. You can view the dynamically tagged endpoints in Configuration > Tagging.

See Tagging rule types for descriptions of all tagging rule types.

You can use tags to build dynamic policies that do not need to be manually reconfigured whenever endpoints statuses change. For example, consider that you want to block endpoints that are running Windows 7 and do not have antivirus (AV) running from accessing the internet. You would configure the following:

  • A rule that applies a "Win7NoAV" tag to endpoints that are running Windows 7 and do not have AV running
  • A policy that blocks endpoints with the Win7NoAV tag applied from accessing the internet.

As FortiSASE receives information from endpoints, it dynamically removes and applies the Win7NoAV tag to endpoints. For example, if an endpoint that previously had the Win7NoAV tag applied upgraded to Windows 10 and enabled the FortiClient AV feature, FortiSASE would automatically remove the Win7NoAV tag from the endpoint. That endpoint would then be able to access the internet.

The following instructions detail how to configure a dynamic policy that uses tags, using the Win7NoAV example:

To configure a dynamic policy using tags:
  1. Configure the tagging rule set:
    1. Go to Configuration > ZTNA Tagging. Click the ZTNA Tagging Rules tab, then click Create.
    2. In the Name field, enter the desired rule set name.
    3. Toggle Enabled on or off to enable or disable the rule.
    4. (Optional) In the Comments field, enter any desired comments.
    5. Under When the following rules match, click Create.
    6. Configure the AV rule:
      1. For OS, select Windows.
      2. From the Rule Type dropdown list, select AntiVirus.
      3. From the AntiVirus dropdown list, select AntiVirus Software is installed and running.
      4. Toggle Negate to On.
      5. Click OK.
    7. Configure the OS rule:
      1. For OS, select Windows.
      2. From the Rule Type dropdown list, select Operating System Version.
      3. From the Operating System Version dropdown list, select Windows 7.
      4. Click OK.
    8. In the Tag Name dropdown list, create a tag named "Win7NoAV".
    9. Click OK.
  2. Configure the tag as a source in a policy:
    1. Go to Configuration > Policies.
    2. Select the Internet Access or Secure Private Access tab to create an internet or private access policy, respectively.
    3. Click Create.
    4. In the Source field, click +. From the Select Entries panel, under EMS Tag, select the Win7NoAV tag.
    5. For Destination, select All Internet Traffic.
    6. For Action, select Deny.
    7. Click OK.
Previous
Next

Tagging

You can create zero trust network access tagging rules for Windows, macOS, Linux, iOS, and Android endpoints based on their OS versions, logged in domains, running processes, and other criteria. FortiSASE uses the rules to dynamically tag endpoints.

The following occurs when using tagging rules with FortiSASE and FortiClient:

  1. FortiSASE sends tagging rules to endpoints.
  2. FortiClient checks endpoints using the provided rules and sends the results to FortiSASE.
  3. FortiSASE receives the results from FortiClient.
  4. FortiSASE dynamically tags endpoints using the tag configured for each rule. You can view the dynamically tagged endpoints in Configuration > Tagging.

See Tagging rule types for descriptions of all tagging rule types.

You can use tags to build dynamic policies that do not need to be manually reconfigured whenever endpoints statuses change. For example, consider that you want to block endpoints that are running Windows 7 and do not have antivirus (AV) running from accessing the internet. You would configure the following:

  • A rule that applies a "Win7NoAV" tag to endpoints that are running Windows 7 and do not have AV running
  • A policy that blocks endpoints with the Win7NoAV tag applied from accessing the internet.

As FortiSASE receives information from endpoints, it dynamically removes and applies the Win7NoAV tag to endpoints. For example, if an endpoint that previously had the Win7NoAV tag applied upgraded to Windows 10 and enabled the FortiClient AV feature, FortiSASE would automatically remove the Win7NoAV tag from the endpoint. That endpoint would then be able to access the internet.

The following instructions detail how to configure a dynamic policy that uses tags, using the Win7NoAV example:

To configure a dynamic policy using tags:
  1. Configure the tagging rule set:
    1. Go to Configuration > ZTNA Tagging. Click the ZTNA Tagging Rules tab, then click Create.
    2. In the Name field, enter the desired rule set name.
    3. Toggle Enabled on or off to enable or disable the rule.
    4. (Optional) In the Comments field, enter any desired comments.
    5. Under When the following rules match, click Create.
    6. Configure the AV rule:
      1. For OS, select Windows.
      2. From the Rule Type dropdown list, select AntiVirus.
      3. From the AntiVirus dropdown list, select AntiVirus Software is installed and running.
      4. Toggle Negate to On.
      5. Click OK.
    7. Configure the OS rule:
      1. For OS, select Windows.
      2. From the Rule Type dropdown list, select Operating System Version.
      3. From the Operating System Version dropdown list, select Windows 7.
      4. Click OK.
    8. In the Tag Name dropdown list, create a tag named "Win7NoAV".
    9. Click OK.
  2. Configure the tag as a source in a policy:
    1. Go to Configuration > Policies.
    2. Select the Internet Access or Secure Private Access tab to create an internet or private access policy, respectively.
    3. Click Create.
    4. In the Source field, click +. From the Select Entries panel, under EMS Tag, select the Win7NoAV tag.
    5. For Destination, select All Internet Traffic.
    6. For Action, select Deny.
    7. Click OK.
Previous
Next