FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the 'ztna-ems-tag-negate' option, to allow or deny policies to match traffic when a specified EMS tag is not present on the endpoint.
Scope
FortiOS 7.6.1+.
Solution
Firewall policies with EMS TAGs typically evaluate the TAGs synced from the EMS. The TAG including IP and MAC information can be viewed with the CLI command 'diagnose firewall dynamic list'. Once the TAG is available in FortiGate 'ztna-ems-tag-negate' can be enabled to deny the traffic along with the correspondent TAG.
The negation option is only displayed when a tag is configured and is automatically hidden if the ztna-ems-tag field is empty.
CLI Config:
config firewall proxy-policy edit <id> set ztna-ems-tag WINDOWS_EMS_TAG set ztna-ems-tag-negate enable set action deny next end
The 'ztna-ems-tag-negate' option adds a logical 'NOT' condition to ZTNA EMS tag checks within the policies. When enabled, the proxy policy is evaluated as a match if the client does not have the configured EMS tag. This enables administrators to implement policies such as:
Denying access to devices missing critical security posture tags
Redirecting or isolating non-compliant endpoints
Presenting a custom access-denied page explaining missing requirements
The option is automatically hidden when no EMS tag is configured, ensuring valid configuration and preventing unused settings.
With above configuration,
With 'ztna-ems-tag' 'WINDOWS_EMS_TAG' and negated 'enabled', the policy will match only if the client does not have the EMS tag 'WINDOWS_EMS_TAG'.
With 'ztna-ems-tag' 'WINDOWS_EMS_TAG' and negated 'disabled', the policy will match only users who have the 'WINDOWS_EMS_TAG' tag.
Note: The feature was added for 'config firewall proxy-policy' initially and was later added for 'config firewall policy' as well.
