FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 286192

This article describes how to use Logical 'AND' for tag matching between primary and secondary ZTNA Tags in a firewall policy.

Scope FortiGate v7.4+.

When setting up a firewall policy for access control based on IP or MAC addresses and utilizing various EMS tag types like ZTNA tags and classification tags, a logical 'AND' for matching can be utilized. This involves organizing each tag type into primary and secondary groups, enabling the use of a logical 'AND' operator to match the different tag types.


When multiple tags are selected using the 'set ztna-ems-tag <tags>' command, matching is performed using a logical OR operator. This means that any single matching tag will result in a true outcome.

The 'set ztna-tags-match-logic {and | or}' option cannot be utilized to modify the logical operator; it is specifically applied by WAD to the tags selected for the ZTNA proxy-policy.

By default, the 'set ztna-ems-tag-secondary <tags>' option allows the specification of a second group of tags.

The logical AND operator is used to join this secondary group with the primary group


In this instance, access control based on IP is set up to permit clients with either the 'Win10-Protected' or 'Win11-Protected' ZTNA tag and additionally, the 'Low' classification tag.


The below example uses the Standard firewall policy:




The ZTNA Firewall policy or ZTNA proxy policy does not support the secondary ZTNA tag. Instead, the logical operator can be configured between the tags applied to the policies from CLI with the command ‘set ztna-tags-match-logic to {OR | AND}’ as per the example below:




FGT1-A (94) # show

config firewall policy

    edit 94

        set name "ZTNA-Firewall-Policy"

        set srcintf "port6"

        set dstintf "any"

        set action accept

        set srcaddr "all"

        set dstaddr "Firewall-Policy-ZTNA"

        set ztna-ems-tag "EMS1_ZTNA_Win10-Protected" "EMS1_ZTNA_Win11-Protected"

        set schedule "always"

        set utm-status enable

        set ssl-ssh-profile "deep-inspection"

        set av-profile "Development-AV"

        set nat enable




FGT1-A (94) # set ztna-tags-match-logic


OR: Match ZTNA tags using a logical OR operator.

AND: Match ZTNA tags using a logical AND operator.


FGT1-A (94) # set ztna-tags-match-logic


If multiple criteria must be met, the best approach is to make use of one TAG on the EMS side and add rules so that one tag can be used on FortiGate and follow the logic of {OR | AND}




To verify the tag matching in a Standard firewall policy:


diagnose firewall iprope list 100004


To verify the tag matching in a ZTNA firewall policy:


diagnose debug enable
diagnose test application wad 2200
diagnose test application wad 101


Related documents:
Support logical AND for tag matching between primary and secondary EMS tags in a firewall policy
ZTNA IP MAC based access control example