Firewall sessions with ZTNA Tag changes

Question

Hello everyone,I had a FortiClient EMS implementation for a client which required configuration of regular firewall rules with ZTNA Tags , no use of ZTNA Servers, plain old classic rules with just an extra layer of security/compliance.The implementation worked as expected but the raised question was, what happens when the client doesnt have the security posture tag anymore while sessions are active/accepted ? Well, at first the situation was quite obvious, as long a session was active/didnt expire, although the tag was no longer presented based on which the access was granted it would still work, after it would expire or was manually cleared, the next initiated connection would fail until the computer/client had the correct tag. This situation made do a little research and led me to this article which should solve it : https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-remove-allowed-existing-sessions-after-ZTNA/ta-p/362819  I tried to replicate in my lab ( FGT 7.4.8 / EMS 7.4.3 / FCT 7.4.3 ) a similar situation following the guide and it doesnt quite seem to work as intended which from my understanding was that after 10s if the ZTNA Tag was changed the policy would re-evaluated and traffic would be dropped, but didnt worked until the existing session would expire but new session would be dropped.The other way, non-compliant to compliant tag works almost instantly after it gets applied and telemetry receives it and sends to FGT. Has anyone else tried to implement a similar setup and worked ?Maybe i'm doing something wrong, would happily share some outputs of the dynamic list / firewall rules and session that I had capture along the test which was performed with ICMP/SSH with a user connected to IPsec VPN.

Atul_S · Accepted Answer

Hi,

The behaviour you are experiencing is consistent with the design.

When a ZTNA tag is removed, existing sessions that were established while the tag was valid will remain active until they expire or are manually cleared. This is by design to prevent disruption of ongoing sessions.

Once the ZTNA tag is removed, any new session attempts will be blocked as the policy will be re-evaluated without the tag. The expectation that the policy would re-evaluate and drop traffic after 10 seconds is not standard behaviour for existing sessions. The session needs to be cleared manually or allowed to expire naturally.

You can use the command below to verify that the dynamic list is updated correctly when tags are changed.

diagnose firewall dynamic list

Thanks,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded