Skip to main content
spoojary
Staff
spoojary
Staff
February 25, 2025

Technical Tip: FortiManager CLI Configuration for ztna-tags-match-logic Not Pushing to FortiGate from CLI

  • February 25, 2025
  • 0 replies
  • 306 views
Description The article describes that when modifying a ZTNA policy in FortiManager to change the ztna-tags-match-logic from OR to AND via CLI, the changes appear to be correctly applied but when the install wizard is used the setting reverts to default settings and do not get pushed on the FortiGate.
Scope FortiGate, FortiManager.
Solution

The changes made in CLI through FortiManager appear correct initially but do not get saved after running the install wizard:

LS-FGT80F-0001 (82) # show
config firewall policy
    edit 82
        set name "ZTNA OUT-TO-IN"
        set uuid 5e4b8564-ec20-51ef-497c-aed81c5bf353
        set srcintf "wan1"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "TEST-ZTNA"
        set ztna-ems-tag "EMS1_ZTNA_LS_Win11_Tag" "EMS1_ZTNA_TAG-Firewall" "EMS1_ZTNA_TAG-OS"
        set ztna-tags-match-logic and
        set schedule "always"
        set logtraffic all
    next
end

 

Ensure that the changes are made correctly in FortiManager's ADOM database rather than directly on the FortiGate.

 

On the GUI the option can be found under Policy & Objects -> Firewall Policy, scroll down and expand Advanced Options look for ztna-tags-match-logic setting, and update it as needed.

 

After, the above setting push the install wizard and now it should save the config.

 

ztna_logic.png
    Terms & ConditionsAccessibility statement