|
Before v7.4.1, feature support for dynamic address objects (which included EMS ZTNA tags) was limited and only partially supported in NGFW policy-based mode when compared to profile-based mode. Generally, SSL Inspection & Authentication Policies (config firewall policy) do allow ZTNA tags to be set, but they must be initially set via the CLI before the tags appear in the GUI:
config system settings
set ngfw-mode policy-based
end
config firewall policy
edit <id>
set ztna-status enable
set ztna-ems-tag <tag_1> <tag_2> [...]
next
end
Historically, NGFW policy-mode Security Policies have only partially-supported dynamic address objects, and as of v7.2.0 and Change #753749 the support was removed entirely. However, in v7.4.1, support was added back in full for dynamic address objects in Security Policies via Change #923611, and this included support for Security Posture Tags from EMS, FortiVoice, FortiNAC, etc. See also: Support dynamic Fabric address in security policies
In the GUI, Security Posture Tags may be added under the Source section by changing the dropdown menu in the Select Entries window to Security Posture Tag. In the CLI, the tags may be specified in the srcaddr field:
config firewall security-policy
edit <id>
set srcaddr <tag_name_or_address_object>
next
end
v7.4.1 and later also support a new CLI command for NGFW policy-based mode that allows administrators to show the addresses used in the Security Policy that are resolved from the posture tags: 'diagnose ips pme dynamic-address list'.
|
