Do EMS tags work with SSL VPN policies? Is there a trick to them?
Using 6.4.7
https://docs.fortinet.com/document/forticlient/6.4.4/ems-administration-guide/236870#To5
The main doc is here, but in general, you’re not restricting access to the tunnel based on tags, but rather restricting the firewall policies using EMS tags.
If you wanted to authenticate the device, you could use EMS to distribute a client certificate, then require that certificate on VPN.
You can also enable host-checking with FortiClient to make sure only devices with current OS versions and Antivirus are allowed to authenticate, then use your other role or compliance tags in EMS to restrict where folks are allowed to go.
Tags are generated in EMS based on the properties of the client. These tags can then be used in a firewall policy - whether that is an SSL VPN policy or a general LAN policy is up to you. Depends on what you want to accomplish.
In EMS, there is a setting under the VPN profile to require or not a specific TAG
That’s the documentation I was referring to. I’m not getting tags showing up as users, I get them as EMS dynamic addresses, the way they show in the IPSec section. Using these tags for SSL VPN policies doesn’t work. In the SSL VPN section they select the “RED-ALERT” group? in the user section which doesn’t make sense to me since EMS tags show up as dynamic addresses?
This is essentially what they call ZTNA?
If you are going to use Tags whether for compliance or ZTNA, we’d recommend you go Version 7.0.x.
There are a lot of issues and annoyances that were addressed and we also packed in quite a lot of new cool stuff at the same time of course.
No, ZTNA is a very different concept although tags are still involved - ZTNA switches the remote access paradigm from network targets to application targets. So you are no longer connecting to office networks but rather remote applications. ZTNA is effectively performing a reverse proxy function to specific apps based on authenticated/authorized access. Part of this access can be based on tags.
If you are interested in ZTNA specifically, Fortinet have a nice demo here:
Thanks for a good explanation, I’ll check the video out.