Dear colleagues,
I'm implementing ZTNA as a VPN replacement and I got questions about ZTNA Tag Groups and there is only rare documentation about it. How are ZTNA Tag Groups are handled? Is the matching method for tags in the group ALL or ANY? Can anyone give an advice where the best place is to group tags (e.g. logged in and in a certain ad-group and AV active)? Is it easier to handle if you group it in EMS and to get one tag with is containing all the checks or is it better to group it in Fortigate?
best
stephan
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What are you trying to do? Will the Meraki send all the traffic to the FortiGate for clean pipe solution? Will the hosts running FortiClient be nat'd or will they have unique IPs? This could potentially work depending on what you are trying to accomplish.
Hi, thank you for your reply.
They will be sometimes NAT'd, sometimes not. It depends on where the backend server is located (directly connected or behind IPSec Tunnels).
I just want to give access to services when not only one condition is met. Lets say the user must be logged into the domain, must be part of a certain group and the device needs to have no vulnerabilities. Those are 3 conditions to met. Is it more handy to create one tag which you get assigned when you meet all 3 conditions, or is it more handy to group 3 tags to one tag group on FGT side? It maybe no big difference in the beginning but if it grows to a larger scale, it can be a difference. At the end there will be ~40 AD groups and over 100 services available over ZTNA and a lot of tags. So I really wondering about best practice because all the fortigate docs are just covering tiny setups like 1 group, 3 tags and 3 services.
best, stephan
The logic for ZTNA Tags can be "AND" or "OR." This is how they can be defined in EMS. Depending on how you configure it, the ZTNA Tag Group may require all Tags to match or just one Tag. I am not certain how you would do this on the Fortigate. What version of FortiOS are you working with? I would manage this in EMS since its straight forward there.
Thank you for your answer! In Fortigate you can have simple and full ZTNA policies. In full ZTNA Policies you can select either to match all or any Tags. But in simple ZTNA policies there is only an "or". So in my eyes it makes sense then to group tags on other place. In EMS you can't create Tag Groups (as far as I see) and so you would need to create tags with several conditions. This is quite okay so far but I'm not sure how easy it will be, if a client doesn't get the expected tag, to find out which condition did not match. So I just wanted to ask others how they managed it and how well it went.
best, stephan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.