Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nkorea
Staff
Staff

Created on ‎11-26-2023 10:20 PM Edited on ‎11-26-2023 10:29 PM By Community Manager

Article Id 286192

Technical Tip: Logical 'AND' for tag matching between primary and secondary ZTNA Tags in a firewall policy

Description

This article describes how to use Logical 'AND' for tag matching between primary and secondary ZTNA Tags in a firewall policy.
Scope FortiGate v7.4+.
Solution

When setting up a firewall policy for access control based on IP or MAC addresses and utilizing various EMS tag types like ZTNA tags and classification tags, a logical 'AND' for matching can be utilized. This involves organizing each tag type into primary and secondary groups, enabling the use of a logical 'AND' operator to match the different tag types.

 

When multiple tags are selected using the 'set ztna-ems-tag <tags>' command, matching is performed using a logical OR operator. This means that any single matching tag will result in a true outcome.

The 'set ztna-tags-match-logic {and | or}' option cannot be utilized to modify the logical operator; it is specifically applied by WAD to the tags selected for the ZTNA proxy-policy.

By default, the 'set ztna-ems-tag-secondary <tags>' option allows the specification of a second group of tags.

The logical AND operator is used to join this secondary group with the primary group

 

In this instance, access control based on IP is set up to permit clients with either the 'Win10-Protected' or 'Win11-Protected' ZTNA tag and additionally, the 'Low' classification tag.

 

The below example uses the Standard firewall policy:

 

nkorea_0-1701036255875.png

 

The ZTNA Firewall policy or ZTNA proxy policy does not support the secondary ZTNA tag. Instead, the logical operator can be configured between the tags applied to the policies from CLI with the command ‘set ztna-tags-match-logic to {OR | AND}’ as per the example below:

 

nkorea_1-1701036255879.png

 

FGT1-A (94) # show

config firewall policy

    edit 94

        set name "ZTNA-Firewall-Policy"

        set srcintf "port6"

        set dstintf "any"

        set action accept

        set srcaddr "all"

        set dstaddr "Firewall-Policy-ZTNA"

        set ztna-ems-tag "EMS1_ZTNA_Win10-Protected" "EMS1_ZTNA_Win11-Protected"

        set schedule "always"

        set utm-status enable

        set ssl-ssh-profile "deep-inspection"

        set av-profile "Development-AV"

        set nat enable

    next

end

 

FGT1-A (94) # set ztna-tags-match-logic

 

OR: Match ZTNA tags using a logical OR operator.

AND: Match ZTNA tags using a logical AND operator.

 

FGT1-A (94) # set ztna-tags-match-logic

 

If multiple criteria must be met, the best approach is to make use of one TAG on the EMS side and add rules so that one tag can be used on FortiGate and follow the logic of {OR | AND}

 

nkorea_2-1701036255884.png

 

To verify the tag matching in a Standard firewall policy:

 

diagnose firewall iprope list 100004

 

To verify the tag matching in a ZTNA firewall policy:

 

diagnose debug enable
diagnose test application wad 2200
diagnose test application wad 101

 

Related documents:
Support logical AND for tag matching between primary and secondary EMS tags in a firewall policy
ZTNA IP MAC based access control example
291
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.