- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ZTNA Tag Groups logic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ZTNA Tag Groups logic
Dear colleagues,
I'm implementing ZTNA as a VPN replacement and I got questions about ZTNA Tag Groups and there is only rare documentation about it. How are ZTNA Tag Groups are handled? Is the matching method for tags in the group ALL or ANY? Can anyone give an advice where the best place is to group tags (e.g. logged in and in a certain ad-group and AV active)? Is it easier to handle if you group it in EMS and to get one tag with is containing all the checks or is it better to group it in Fortigate?
best
stephan
Labels:
- Labels:
-
FortiClient
-
FortiClient EMS
-
FortiGate
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are you trying to do? Will the Meraki send all the traffic to the FortiGate for clean pipe solution? Will the hosts running FortiClient be nat'd or will they have unique IPs? This could potentially work depending on what you are trying to accomplish.
https://19216811.cam/ https://1921681001.id/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for your reply.
They will be sometimes NAT'd, sometimes not. It depends on where the backend server is located (directly connected or behind IPSec Tunnels).
I just want to give access to services when not only one condition is met. Lets say the user must be logged into the domain, must be part of a certain group and the device needs to have no vulnerabilities. Those are 3 conditions to met. Is it more handy to create one tag which you get assigned when you meet all 3 conditions, or is it more handy to group 3 tags to one tag group on FGT side? It maybe no big difference in the beginning but if it grows to a larger scale, it can be a difference. At the end there will be ~40 AD groups and over 100 services available over ZTNA and a lot of tags. So I really wondering about best practice because all the fortigate docs are just covering tiny setups like 1 group, 3 tags and 3 services.
best, stephan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The logic for ZTNA Tags can be "AND" or "OR." This is how they can be defined in EMS. Depending on how you configure it, the ZTNA Tag Group may require all Tags to match or just one Tag. I am not certain how you would do this on the Fortigate. What version of FortiOS are you working with? I would manage this in EMS since its straight forward there.
Would rather be in the wilderness
Would rather be in the wilderness
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer! In Fortigate you can have simple and full ZTNA policies. In full ZTNA Policies you can select either to match all or any Tags. But in simple ZTNA policies there is only an "or". So in my eyes it makes sense then to group tags on other place. In EMS you can't create Tag Groups (as far as I see) and so you would need to create tags with several conditions. This is quite okay so far but I'm not sure how easy it will be, if a client doesn't get the expected tag, to find out which condition did not match. So I just wanted to ask others how they managed it and how well it went.
best, stephan
Related Posts
- Fortinet Single Sign On (FSSO) for... 225 Views
- ZTNA - NatPool used by default 287 Views
- Problem using Application Control in FortiProxy... 1086 Views
- ZTNA IP/MAC filtering issue 613 Views
Labels
-
FortiGate
6,538 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.