To use TAGs for ZTNA traffic on a VDOM with VDOM Partitioning in v7.4.0 or below, it is necessary to ensure that the VDOM that implements the TAG is on the same partition (same virtual cluster) as the management VDOM. Otherwise, the VDOM will not be able to retrieve TAG information from FortiClient EMS.

If the FortiGate is running v7.2.x and earlier firmware versions and has enabled multi-vdom, it is not possible to configure FortiClient EMS and FortiClient EMS Cloud on other VDOMs rather than Global VDOM. Enabling override under 'endpoint-control' settings via CLI is not an option :

v7.4.0 introduced a new feature that allows for the configuration of FortiClient EMS and FortiClient EMS Cloud on a per-VDOM basis.

There are some pre-requisites:

• V7.4.x and 7.6.x and later.
• Override should be configured for each VDOM that connects to an EMS server.
• FortiClient EMS v7.2.1 and later

Override can be enabled under endpoint-control settings as per the following:

config endpoint-control settings
    set override {enable | disable}
end

See the 'configuring FortiClient EMS and FortiClient EMS Cloud on a per-VDOM basis' section in the FortiGate... for more information.