Support logical AND for tag matching between primary and secondary EMS tags in a firewall policy
When configuring a firewall policy for IP- or MAC-based access control that uses different EMS tag types (such as ZTNA tags and classification tags), a logical AND can be used for matching. By separating each tag type into primary and secondary groups, the disparate tag types will be matched with a logical AND operator.
In this example, IP-based access control is configured by allowing only clients that have the ems133_management_tag OR ems133_running_app_tag ZTNA tag, AND the CLASS_Classification_001 classification tag.
To configure logical AND tag matching in the GUI:
-
Go to Policy & Objects > Firewall Policy.
-
Create a new policy, or edit an existing one.
-
For IP/MAC Based Access Control, click the + and select the desired EMS tags (ems133_management_tag and ems133_running_app_tag).
-
Set Logical And With Secondary Tags to Specify, and click the + to add the secondary EMS tag (CLASS_Classification_001).
-
Configure the other settings as needed.
-
Click OK.
To configure logical AND tag matching in the CLI:
config firewall policy edit 3 set name "0000" set srcintf "port2" set dstintf "port3" set action accept set ztna-status enable set srcaddr "all" set dstaddr "all" set ztna-ems-tag "EMS2_ZTNA_ems133_management_tag" "EMS2_ZTNA_ems133_running_app_tag" set ztna-ems-tag-secondary "EMS2_CLASS_Classification_001" set schedule "always" set service "ALL" set nat enable next end
To verify the tag matching in the firewall policy:
# diagnose firewall iprope list 100004 policy index=2 uuid_idx=16180 action=accept flag (8050108): redir nat master use_src pol_stats flag2 (4000): resolve_sso flag3 (a0): link-local best-route schedule(always) cos_fwd=255 cos_rev=255 group=00100004 av=00004e20 au=00000000 split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 zone(1): 4 -> zone(1): 5 source(1): 0.0.0.0-255.255.255.255, uuid_idx=16088, dest(2): 172.16.200.133-172.16.200.133, uuid_idx=16097, 172.17.254.148-172.17.254.148, uuid_idx=16275, service(1): [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto policy index=3 uuid_idx=16277 action=accept flag (8050108): redir nat master use_src pol_stats flag2 (4000): resolve_sso flag3 (a0): link-local best-route schedule(always) cos_fwd=255 cos_rev=255 group=00100004 av=00004e20 au=00000000 split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 zone(1): 4 -> zone(1): 5 source(1): 0.0.0.0-255.255.255.255, uuid_idx=16088, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=16088, service(1): [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto ztna-ems-tag address (2): uuid_idx=16118 EMS2_ZTNA_ems133_running_app_tag ID(68) uuid_idx=16122 EMS2_ZTNA_ems133_management_tag ID(122) ADDR(10.1.100.115) ADDR(10.1.100.117) ztna-ems-tag-secondary address (1): uuid_idx=16273 EMS2_CLASS_Classification_001 ID(108) ADDR(10.1.100.115)