Support logical AND for tag matching between primary and secondary EMS tags in a firewall policy

When configuring a firewall policy for IP- or MAC-based access control that uses different EMS tag types (such as ZTNA tags and classification tags), a logical AND can be used for matching. By separating each tag type into primary and secondary groups, the disparate tag types will be matched with a logical AND operator.

In this example, IP-based access control is configured by allowing only clients that have the ems133_management_tag OR ems133_running_app_tag ZTNA tag, AND the CLASS_Classification_001 classification tag.

To configure logical AND tag matching in the GUI:

Go to Policy & Objects > Firewall Policy.
Create a new policy, or edit an existing one.
For IP/MAC Based Access Control, click the + and select the desired EMS tags (ems133_management_tag and ems133_running_app_tag).
Set Logical And With Secondary Tags to Specify, and click the + to add the secondary EMS tag (CLASS_Classification_001).
Configure the other settings as needed.
Click OK.

To configure logical AND tag matching in the CLI:

config firewall policy
    edit 3
        set name "0000"
        set srcintf "port2"
        set dstintf "port3"
        set action accept
        set ztna-status enable
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "EMS2_ZTNA_ems133_management_tag" "EMS2_ZTNA_ems133_running_app_tag"
        set ztna-ems-tag-secondary "EMS2_CLASS_Classification_001"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

To verify the tag matching in the firewall policy:

# diagnose firewall iprope list 100004

policy index=2 uuid_idx=16180 action=accept
flag (8050108): redir nat master use_src pol_stats 
flag2 (4000): resolve_sso 
flag3 (a0): link-local best-route 
schedule(always)
cos_fwd=255  cos_rev=255 
group=00100004 av=00004e20 au=00000000 split=00000000
host=4 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 5 
source(1): 0.0.0.0-255.255.255.255, uuid_idx=16088, 
dest(2): 172.16.200.133-172.16.200.133, uuid_idx=16097, 172.17.254.148-172.17.254.148, uuid_idx=16275, 
service(1): 
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto  

policy index=3 uuid_idx=16277 action=accept
flag (8050108): redir nat master use_src pol_stats 
flag2 (4000): resolve_sso 
flag3 (a0): link-local best-route 
schedule(always)
cos_fwd=255  cos_rev=255 
group=00100004 av=00004e20 au=00000000 split=00000000
host=4 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 5 
source(1): 0.0.0.0-255.255.255.255, uuid_idx=16088, 
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=16088, 
service(1): 
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto  
ztna-ems-tag address (2):  uuid_idx=16118
        EMS2_ZTNA_ems133_running_app_tag ID(68) uuid_idx=16122
        EMS2_ZTNA_ems133_management_tag ID(122) ADDR(10.1.100.115) ADDR(10.1.100.117)
ztna-ems-tag-secondary address (1):  uuid_idx=16273
        EMS2_CLASS_Classification_001 ID(108) ADDR(10.1.100.115)

Support logical AND for tag matching between primary and secondary EMS tags in a firewall policy

To configure logical AND tag matching in the GUI:

Go to Policy & Objects > Firewall Policy.

Create a new policy, or edit an existing one.

For IP/MAC Based Access Control, click the + and select the desired EMS tags (ems133_management_tag and ems133_running_app_tag).

Set Logical And With Secondary Tags to Specify, and click the + to add the secondary EMS tag (CLASS_Classification_001).

Configure the other settings as needed.

Click OK.

To configure logical AND tag matching in the CLI:

config firewall policy edit 3 set name "0000" set srcintf "port2" set dstintf "port3" set action accept set ztna-status enable set srcaddr "all" set dstaddr "all" set ztna-ems-tag "EMS2_ZTNA_ems133_management_tag" "EMS2_ZTNA_ems133_running_app_tag" set ztna-ems-tag-secondary "EMS2_CLASS_Classification_001" set schedule "always" set service "ALL" set nat enable next end

To verify the tag matching in the firewall policy:

# diagnose firewall iprope list 100004 policy index=2 uuid_idx=16180 action=accept flag (8050108): redir nat master use_src pol_stats flag2 (4000): resolve_sso flag3 (a0): link-local best-route schedule(always) cos_fwd=255 cos_rev=255 group=00100004 av=00004e20 au=00000000 split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 zone(1): 4 -> zone(1): 5 source(1): 0.0.0.0-255.255.255.255, uuid_idx=16088, dest(2): 172.16.200.133-172.16.200.133, uuid_idx=16097, 172.17.254.148-172.17.254.148, uuid_idx=16275, service(1): [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto policy index=3 uuid_idx=16277 action=accept flag (8050108): redir nat master use_src pol_stats flag2 (4000): resolve_sso flag3 (a0): link-local best-route schedule(always) cos_fwd=255 cos_rev=255 group=00100004 av=00004e20 au=00000000 split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 zone(1): 4 -> zone(1): 5 source(1): 0.0.0.0-255.255.255.255, uuid_idx=16088, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=16088, service(1): [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto ztna-ems-tag address (2): uuid_idx=16118 EMS2_ZTNA_ems133_running_app_tag ID(68) uuid_idx=16122 EMS2_ZTNA_ems133_management_tag ID(122) ADDR(10.1.100.115) ADDR(10.1.100.117) ztna-ems-tag-secondary address (1): uuid_idx=16273 EMS2_CLASS_Classification_001 ID(108) ADDR(10.1.100.115)

New Features

Support logical AND for tag matching between primary and secondary EMS tags in a firewall policy

Support logical AND for tag matching between primary and secondary EMS tags in a firewall policy

To configure logical AND tag matching in the GUI:

To configure logical AND tag matching in the CLI:

To verify the tag matching in the firewall policy:

Support logical AND for tag matching between primary and secondary EMS tags in a firewall policy

To configure logical AND tag matching in the GUI:

To configure logical AND tag matching in the CLI:

To verify the tag matching in the firewall policy: