How to know the reason why a tag was assigned/unaissgned to a EMS client?

Forum|Forum|29 days ago
May 18, 2026
5 replies
80 views

Hi all,

I am using Forticlient EMS cloud with Fortigate to achieve ZTNA.

We have some endpoints tag changed for some reason, and we wanna know the reason to resolve the issue.

But seems the Fortinet log only told that tag was assigned/unaissgned to a EMS client.

How could I know the details rather then “guess how” or “open ticket tac” ?

funkylicious

SuperUser

well, what are the conditions/rules for the tags Trusted/Untrusted in EMS to be assigned ?

"jack of all trades, master of none"

AEK

SuperUser

Hi Potato

If a tag has changed that means the status of the related “thing” on the client has changed (e.g.: AV down, new detected vuln, … etc).

If you need more debug logs try enable the following in client’s system profile:

AEK

sjoshi

Staff

maybe you can look into forticlient diagnostic output and enable debug mode on the ems

Thanks, Salon

alejandro404

New Member

As an easy way to point the culprit rule you could momentarily set individual rule tags just for the diagnostics, for example:
Assuming that Trusted tag is a combination of rules like: (AV on) and (Firewall on) and (OS = windows11), you could set individual rule tags to help in the diagnostic:
AV_tag = AV on
FW_tag = Firewall on
OS_tag = OS windows11
When Trusted tag is unassign one of this rules also should unassign and both will be seen on that log, that way identifying at least which rule is the one failing.
After diagnostic complete just disable these individual tags or delete them.
Not ideal but not too compicate to implement to isolate the individual rule triggering the unassign log.