Fortinet black logo

SPA with a FortiGate SD-WAN Deployment Guide

Using ZTNA tags to configure dynamic policies

Copy Link
Copy Doc ID 8c54df13-c519-11ee-8c42-fa163e15d75b:702837
Download PDF

Using ZTNA tags to configure dynamic policies

You can use tags to build dynamic policies that you do not need to manually reconfigure whenever an endpoint’s status changes. For example, consider that you want to deny Windows endpoints that FortiClient detects as being without antivirus (AV) installed and running from accessing private applications behind the FortiGate hub. You would configure the following:

  • Rule that applies a SASE-Compliant tag to Windows endpoints that FortiClient detects as having AV software installed and running
  • Rule that applies a SASE-Non-Compliant tag to Windows endpoints that FortiClient detects as not having AV software installed
  • Private access policy that allows Windows endpoints with the SASE-Compliant tag to access a specific server behind the FortiGate hub
  • Private access policy that denies Windows endpoints with the SASE-Non-Compliant tag from accessing a specific server behind the FortiGate hub

As FortiSASE receives information from endpoints, it dynamically removes and applies the SASE-Non-Compliant tag to endpoints. For example, if an endpoint that previously had the SASE-Non-Compliant tag applied has its AV software installed or enabled as detected by FortiClient, then FortiSASE automatically removes the SASE-Non-Compliant tag from the endpoint and applies the SASE-Compliant tag instead. Consequently, the endpoint would then be able to access private applications behind the FortiGate hub.

Therefore, a dynamic policy is a policy that has one or more zero trust network access tags specified as its source.

For details on configuring dynamic tags and policies, see Tagging.

Using ZTNA tags to configure dynamic policies

You can use tags to build dynamic policies that you do not need to manually reconfigure whenever an endpoint’s status changes. For example, consider that you want to deny Windows endpoints that FortiClient detects as being without antivirus (AV) installed and running from accessing private applications behind the FortiGate hub. You would configure the following:

  • Rule that applies a SASE-Compliant tag to Windows endpoints that FortiClient detects as having AV software installed and running
  • Rule that applies a SASE-Non-Compliant tag to Windows endpoints that FortiClient detects as not having AV software installed
  • Private access policy that allows Windows endpoints with the SASE-Compliant tag to access a specific server behind the FortiGate hub
  • Private access policy that denies Windows endpoints with the SASE-Non-Compliant tag from accessing a specific server behind the FortiGate hub

As FortiSASE receives information from endpoints, it dynamically removes and applies the SASE-Non-Compliant tag to endpoints. For example, if an endpoint that previously had the SASE-Non-Compliant tag applied has its AV software installed or enabled as detected by FortiClient, then FortiSASE automatically removes the SASE-Non-Compliant tag from the endpoint and applies the SASE-Compliant tag instead. Consequently, the endpoint would then be able to access private applications behind the FortiGate hub.

Therefore, a dynamic policy is a policy that has one or more zero trust network access tags specified as its source.

For details on configuring dynamic tags and policies, see Tagging.