Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jloureiro
New Contributor III

Created on ‎08-11-2025 10:15 AM

FortiGate global header policy not enforcing EMS tag match

Hi,

 

I have FortiClient EMS, FortiManager, and several FortiGates in my environment.

  • EMS is connected to each FortiGate and showing "connected" in the Fabric Connectors;

  • In EMS I configured classification tags to some users;

  • In FortiManager, I have a Global Header Policy applied to all FortiGates;

  • This policy has an EMS classification tag as part of the source match condition.

Problem is devices without the EMS tag are still matching the policy.

 

Only troubleshoot I was able to do is running <diag user device list> only to find that there are no tags showing up.

 

Forticlient EMS  v7.4.3

Fortimanager v7.4.6

Fortigate(s) v7.4.7

 

I would appreciate some help on how to further troubleshoot the issue.

 

Thanks in advance.

 

 

João
João
Labels:
502
0 Kudos
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎08-12-2025 10:24 AM

Hi Joao

When you open the policy from FortiGate WebUI (not FMG) do you see the tags are set up properly?

AEK
AEK
458
jloureiro
New Contributor III
In response to AEK

Created on ‎09-08-2025 04:44 AM

Hi, actually I can't see the tags anywhere inside the policy.

 

Thanks.

João
João
404
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎09-09-2025 12:49 AM

tag.png

 

If you can't see it then you may need to enable Zero Trust Network Access in feature visibility.

AEK
AEK
388
jloureiro
New Contributor III
In response to AEK

Created on ‎09-09-2025 01:54 AM

Thanks for your reply.

 

Just to make sure we are on the same page, the tags I am trying to enable are ForticlientEMS Classification Tags (like the ones in the image below), and not the Security Posture Tags

 

Screenshot_1.png

Other issue is I am not able to enable the feature Zero Trust Network Access, as the instructions says that it must be enabled via CLI with two commands, however I dont have the set proxy-and-explicit-proxy enable under config system global.

 

As I said in the first post, this is a firewall header policy created on Fortimanager and pushed to the fortigates, and the tag is correctly presented on the Fortimanager side, my doubt now is if it should be presented in the individual firewalls policy as well.

 

Screenshot_2.png

Thanks again for your support.

João
João
378
0 Kudos
funkylicious
SuperUser
SuperUser
In response to jloureiro

Created on ‎09-09-2025 02:10 AM Edited on ‎09-09-2025 02:12 AM

hi,

in EMS you would need to ensure that in Fabric&Connectors > Fabric Devices > you have in Tag Types Being Shared , Classification Tags enabled to send to the FortiGates ( in Policy&Objects > ZTNA > Security Posture Tags you should see the CLASS IP tags [ Category: Classification ] from EMS ) and under the FortiGate > Fabric Connectors > EMS , CLI configuration you have pull-tags enabled ( which should be enabled by default if you didnt changed it )

"jack of all trades, master of none"
"jack of all trades, master of none"
374
jloureiro
New Contributor III
In response to funkylicious

Created on ‎09-11-2025 01:32 AM Edited on ‎09-11-2025 01:33 AM

Hi, thanks for your reply.

 

I could not find the Tag Types Being Shared option in the EMS, however that Tags are working in some Fortigates from the Fabric, from what I could see, the ones that does not work are the ones where I can not enable the ZTNA feature in the feature visibility.

João
João
345
0 Kudos
funkylicious
SuperUser
SuperUser
In response to jloureiro

Created on ‎09-11-2025 10:55 AM Edited on ‎09-11-2025 10:55 AM

can you share the FortiGate model and FortiOS running on those were the tags are no visible and cannot enable the ZTNA feature ?

https://docs.fortinet.com/document/fortiedr/7.0.0/forticlient-ems-integration/463964/configuring-for... 

"jack of all trades, master of none"
"jack of all trades, master of none"
335
0 Kudos
jloureiro
New Contributor III
In response to funkylicious

Created on ‎09-23-2025 07:50 AM

Hi,

 

Fortigate 60F FortiOS 7.4.7

João
João
301
0 Kudos
jloureiro
New Contributor III

Created on ‎09-23-2025 07:55 AM

Hello,

I noticed that the problem seems to be related to the FortiGate not connecting properly to the fabric.

I am still having some trouble establishing the connection, but I believe that once this issue is resolved, the tags will appear correctly.

Thank you for your support.

João
João
300
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.