Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AlPhiMe
Staff
Staff

Created on ‎08-27-2024 07:15 AM Edited on ‎12-05-2024 09:23 PM By Community Manager

Article Id 336693

Technical Tip: Using logical 'and' with ZTNA Security Tags and Security Tag Groups

Description This article describes and clarifies the behavior of the logical and operator when combining ZTNA Security Tags with Security Tag Groups.
Scope ZTNA, Explicit-Proxy, proxy-policy.
Solution

FortiOS introduces a logical 'and' operator for Security Tags for full proxy policies.

See the documentation.

 

When configuring a proxy policy on FortiGate, it is possible to combine Security Tags with Security Tag groups.

 

config firewall address

edit "EMS_A"

set type dynamic
set sub-type ems-tag

next

edit "EMS_B"

set type dynamic
set sub-type ems-tag

next

edit "EMS_C"

set type dynamic
set sub-type ems-tag

next

edit "EMS_D"

set type dynamic
set sub-type ems-tag

next

edit "TAG_group"

set category ztna-ems-tag
set member "EMS_C" "EMS_D"

next

end

config firewall proxy-policy

edit 1

set proxy access-proxy
set access-proxy "Test_Proxy"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "EMS_A" "EMS_B" "TAG_group"
set ztna-tags-match-logic and
set action accept
set schedule "always"
set logtraffic all

next

end

 

In this case, 'EMS_A', 'EMS_B', and 'TAG_group' will be logically connected with a logical 'and' operator, but the members ('EMS_C' and 'EMS_D') of the Security Tag Group will not: they will be connected with a logical 'or'. 

 

This means that if only one or more members match in this Security Tag group, the logical state of TAG_group would be true, and FortiGate would allow access even if only one member matches (for example: EMS_C is applied to the client, but EMS_D is not).

 

diagnose test application fcnacd 7
[...]
2024-08-27 12:25:55 idx:0, ttdl:1 name:EMS_A
2024-08-27 12:25:55 idx:3, ttdl:1 name:EMS_B
2024-08-27 12:25:55 idx:6, ttdl:1 name:EMS_C
[...]

 

If Security Tags must have been applied to the client requesting access to the proxy (for example EMS_A, EMS_B, EMS_C, and EMS_D)...

 

diagnose test application fcnacd 7
[...]
2024-08-27 12:25:55 idx:0, ttdl:1 name:EMS_A
2024-08-27 12:25:55 idx:3, ttdl:1 name:EMS_B
2024-08-27 12:25:55 idx:6, ttdl:1 name:EMS_C
2024-08-27 12:25:55 idx:12, ttdl:1 name:EMS_D
[...]

 

It would then be, necessary to use them directly in the proxy_policy:

 

config firewall proxy-policy

edit 1

set proxy access-proxy
set access-proxy "Test_Proxy"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "EMS_A" "EMS_B" "EMS_C" "EMS_D"
set ztna-tags-match-logic and
set action accept
set schedule "always"
set logtraffic all

next

end

 

Related articles:

Technical Tip: Logical 'AND' for tag matching between primary and secondary ZTNA Tags in a firewall ...

ZTNA HTTPS access proxy example - FortiGate administration guide

Full versus simple ZTNA policies - FortiGate administration guide
284
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.