Zero Trust Tagging Rules
You can create, edit, and delete Zero Trust tagging rules for Windows, macOS, and Linux endpoints. You can also view and manage the tags used to dynamically group endpoints.
The following occurs when using Zero Trust tagging rules with EMS and FortiClient:
- EMS sends Zero Trust tagging rules to endpoints via Telemetry communication.
- FortiClient checks endpoints using the provided rules and sends the results to EMS.
When endpoint network changes or user logon/logoff events occur, FortiClient triggers an X-FFCK-TAG message to EMS, even if there are no tag changes. Once EMS receives the tags, it processes them immediately, and FortiOS tags are updated within five seconds from the REST API response. For other tag changes, FortiClient sends the information to EMS regularly as per the configured keepalive intervals. See Configuring EMS settings.
- EMS receives the results from FortiClient.
- EMS dynamically groups endpoints together using the tag configured for each rule. You can view the dynamic endpoint groups in Zero Trust Tags > Zero Trust Tag Monitor. See Zero Trust Tag Monitor.