Skip to main content
Stephan_s
Stephan_s
Visitor III
December 21, 2023
Question

ZTNA Tag Groups logic

  • December 21, 2023
  • 2 replies
  • 2636 views

Dear colleagues,

I'm implementing ZTNA as a VPN replacement and I got questions about ZTNA Tag Groups and there is only rare documentation about it. How are ZTNA Tag Groups are handled? Is the matching method for tags in the group ALL or ANY? Can anyone give an advice where the best place is to group tags (e.g. logged in and in a certain ad-group and AV active)? Is it easier to handle if you group it in EMS and to get one tag with is containing all the checks or is it better to group it in Fortigate?

best

stephan

    2 replies

    danys1
    danys1
    New Member
    December 21, 2023

    What are you trying to do? Will the Meraki send all the traffic to the FortiGate for clean pipe solution? Will the hosts running FortiClient be nat'd or will they have unique IPs? This could potentially work depending on what you are trying to accomplish.

    Stephan_s
    Stephan_sAuthor
    Visitor III
    December 21, 2023

    Hi, thank you for your reply.
    They will be sometimes NAT'd, sometimes not. It depends on where the backend server is located (directly connected or behind IPSec Tunnels).
    I just want to give access to services when not only one condition is met. Lets say the user must be logged into the domain, must be part of a certain group and the device needs to have no vulnerabilities. Those are 3 conditions to met. Is it more handy to create one tag which you get assigned when you meet all 3 conditions, or is it more handy to group 3 tags to one tag group on FGT side? It maybe no big difference in the beginning but if it grows to a larger scale, it can be a difference. At the end there will be ~40 AD groups and over 100 services available over ZTNA and a lot of tags. So I really wondering about best practice because all the fortigate docs are just covering tiny setups like 1 group, 3 tags and 3 services.

    best, stephan

    justenglabs1
    justenglabs1
    Explorer III
    December 21, 2023

    The logic for ZTNA Tags can be "AND" or "OR."  This is how they can be defined in EMS.  Depending on how you configure it, the ZTNA Tag Group may require all Tags to match or just one Tag.  I am not certain how you would do this on the Fortigate.  What version of FortiOS are you working with?  I would manage this in EMS since its straight forward there.

    Stephan_s
    Stephan_sAuthor
    Visitor III
    December 21, 2023

    Thank you for your answer! In Fortigate you can have simple and full ZTNA policies. In full ZTNA Policies you can select either to match all or any Tags. But in simple ZTNA policies there is only an "or". So in my eyes it makes sense then to group tags on other place. In EMS you can't create Tag Groups (as far as I see) and so you would need to create tags with several conditions. This is quite okay so far but I'm not sure how easy it will be, if a client doesn't get the expected tag, to find out which condition did not match. So I just wanted to ask others how they managed it and how well it went.

     

    best, stephan

    Terms & ConditionsAccessibility statement