This article describes How to delete ZTNA Tags on FortiGate.

FortiGate, EMS v7.0+, v7.2+, 7.4+, 7.6+

FortiGate offers two approaches to deleting ZTNA tags, but the options on the graphical user interface (GUI) are currently degraded while deleting the tags as shown below:

Method 1:  Running the following Commands on FortiGate and removing the tags with the following options.

FGT1-A (global) # diagnose endpoint tags remove-by-
remove-by-sn Remove Dynamic address tags by Serial Number (LEGACY).
remove-by-id Remove Dynamic address tags by EMS ID.
remove-by-name Remove specific tag by EMS ID and name.
remove-by-name-legacy Remove specific tag by Serial Number and name (LEGACY).

Method 2: Log in to EMS, select 'Zero Trust Tags', and select  'Zero Trust Tagging'.

First, delete the tagging rule and then delete the TAG from the EMS.

In the example below, the ZTNA Tag named 'Vulnerable_Devices' will be deleted.

1. Select Vulnerable_Devices and select 'Delete': this deletes the tagging rule, not the tag itself

2.  Select 'Manage Tags' and then delete the TAG.

This triggers an API call (notification object-id 12) to FortiGate, which marks the tag 'dirty' and if not referenced anywhere, it will be deleted.

However, if there is no connectivity for the EMS connector, then it will not process that API call.

Additionally, if the EMS connector has been moved to an ID other than the one referenced in the ZTNA tag, it may cause 'orphan' tags.

Re-enabling the EMS Fabric Connector in FortiGate with the same ID as the orphan ZTNA Tag will trigger a sync from EMS to FortiGate, which should remove any stale entries for Tags that have been removed in EMS and are not referenced in FortiGate.