Technical Tip: Security posture tags behavior when installing a FortiManager to a FortiGate
Description
This article describes where different behavior observed in FortiManager versions when installing to FortiGate. This issue relates to Security Posture Tags (or ZTNA Tags in version 7.2).
Scope
FortiManager v7.4 and v7.6.
Solution
In this setup, FortiGate does not yet connect to FortiClient EMS. All of the tags that come from FortiManager connect to FortiClient EMS first, and are then installed to FortiGate.
Add the FortiClient EMS under Policy & Objects -> Security Fabric -> Fabric Connectors -> FortiClient EMS -> Apply & Refresh and import all the tags.
The tags can be observed under Policy & Objects -> Firewall Objects -> Security Posture Tags, where various categories including Zero Trust, Outbreak Alert, Fabric, and Classification have been included.
Only Zero Trust categories are added manually in FortiClient EMS. Others are either default or from FortiGuard.
 
In FortiManager v7.4.x, if the tags are used in the policies and an installation is performed, it will only install used tags:
But for FortiManager v7.6.x, the behavior is different, and all tags imported from FortiClient EMS will be installed to the FortiGate.
  
