| Description |
This article describes how to use Logical 'AND' for tag matching between primary and secondary ZTNA Tags in a firewall policy. |
| Scope | FortiGate v7.4+. |
| Solution |
When setting up a firewall policy for access control based on IP or MAC addresses and utilizing various EMS tag types like ZTNA tags and classification tags, a logical 'AND' for matching can be utilized. This involves organizing each tag type into primary and secondary groups, enabling the use of a logical 'AND' operator to match the different tag types.
When multiple tags are selected using the 'set ztna-ems-tag <tags>' command, matching is performed using a logical OR operator. This means that any single matching tag will result in a true outcome. The 'set ztna-tags-match-logic {and | or}' option cannot be utilized to modify the logical operator; it is specifically applied by WAD to the tags selected for the ZTNA proxy-policy. By default, the 'set ztna-ems-tag-secondary <tags>' option allows the specification of a second group of tags. The logical AND operator is used to join this secondary group with the primary group
In this instance, access control based on IP is set up to permit clients with either the 'Win10-Protected' or 'Win11-Protected' ZTNA tag and additionally, the 'Low' classification tag.
The below example uses the Standard firewall policy:
The ZTNA Firewall policy or ZTNA proxy policy does not support the secondary ZTNA tag. Instead, the logical operator can be configured between the tags applied to the policies from CLI with the command ‘set ztna-tags-match-logic to {OR | AND}’ as per the example below:
FGT1-A (94) # show config firewall policy edit 94 set name "ZTNA-Firewall-Policy" set srcintf "port6" set dstintf "any" set action accept set srcaddr "all" set dstaddr "Firewall-Policy-ZTNA" set ztna-ems-tag "EMS1_ZTNA_Win10-Protected" "EMS1_ZTNA_Win11-Protected" set schedule "always" set utm-status enable set ssl-ssh-profile "deep-inspection" set av-profile "Development-AV" set nat enable next end
FGT1-A (94) # set ztna-tags-match-logic
OR: Match ZTNA tags using a logical OR operator. AND: Match ZTNA tags using a logical AND operator.
FGT1-A (94) # set ztna-tags-match-logic
If multiple criteria must be met, the best approach is to make use of one TAG on the EMS side and add rules so that one tag can be used on FortiGate and follow the logic of {OR | AND}
To verify the tag matching in a Standard firewall policy:
diagnose firewall iprope list 100004
To verify the tag matching in a ZTNA firewall policy:
diagnose debug enable
From FortiOS v7.6.0 ZTNA tag information will be available in traffic logs. Refer to the following documentation for more information: Include EMS tag information in traffic logs Related documents: Support logical AND for tag matching between primary and secondary EMS tags in a firewall policy ZTNA IP MAC based access control example |
