Configuring ZTNA tags and tagging rules

Zero Trust Network Access (ZTNA) tags and tagging rules help identify attributes on the endpoints used for posture check on the FortiGate. This example creates two tags: HighSeverity and WinDefender. The goal is to identify whether a Windows endpoint has a high or higher vulnerability status, and whether it has Windows Defender enabled. You will use these tags in the ZTNA policy definition on the FortiGate.

To configure the HighSeverity tag and tagging rule:

1. Go to Configuration > Endpoints > ZTNA Tagging > ZTNA Tags. Click Create.
2. In the Name field, enter HighSeverity. Click OK.
3. Go to the ZTNA Tagging Rules tab. Click Create, and configure the rule:
   1. In the Name field, enter HighSeverity.
   2. Under When the following rules match, click Create.
   3. For Operating System, select Windows.
   4. From the Rule Type dropdown list, select Severity Level.
   5. From the Severity Level dropdown list, select High or Higher.
   6. Click OK.
   7. Under Apply the following tag, from the Tag Name dropdown list, select HighSeverity.
   8. Click OK.

To configure the WinDefender tag and tagging rule:

1. Go to Configuration > Endpoints > ZTNA Tagging > ZTNA Tags. Click Create.
2. In the Name field, enter WinDefender. Click OK.
3. Go to the ZTNA Tagging Rules tab. Click Create, and configure the rule:
   1. In the Name field, enter WinDefender.
   2. Under When the following rules match, click Create.
   3. For Operating System, select Windows.
   4. From the Rule Type dropdown list, select Windows Security.
   5. From the Severity Level dropdown list, select Windows Defender is enabled.
   6. Click OK.
   7. Under Apply the following tag, from the Tag Name dropdown list, select WinDefender.
   8. Click OK.

      

(Optional) To display tags on the FortiClient endpoint:

1. Go to Configuration > Endpoints > Profile.
2. Enable Show tags on FortiClient.
3. Click Apply. When this option is enabled, detected tags appear on the FortiClient avatar page.