Using Tags on the Fortigate Firewall

By Manny Fernandez

February 12, 2019

Using Tags on the Fortigate Firewall

Tags are something that I have adopted into my workflow on most applications. I use Tags in Evernote, OmniFocus, macOS, this blog site, Fortigates, etc. Although, I would like to see Fortinet expand on ‘Tags’ this is what we have to work with today. Ideally, I would like to tag an address object, a policy, a route, VPN, etc. Then do a global search for all things ‘tagged’ with that tag.

Use case Example: VPN Tunnel

Create an address object for the local Phase II selector (possibly an address group)
Create an address object fort the remote Phase II selector (possibly an address group)
Create a VPN
Create the Static Routes (I only use ‘custom’ so the wizard does not create it for me)
Create an IPv4 Policy

With that said, Fortinte HAS done a great job implementing ‘tags’ on FortiOS. Minimum version is 6.0.

Fortinet’s implementation allows you to create a ‘Category’ for tags. In my example, I am using Location, Network, and Manager.

Location COULD identify what IDF, Building, Campus, etc.
Network COULD identify VLAN information, Subnets, Named LAN objects, etc.
Manager COULD identify the owner of the device (e.g. Manny Fernandez, Omar Ortiz, etc). You will see where this is useful.

Obviously, you can choose your own names that make sense in your environment.

Lets get started.

To get to the ‘Tags’ Section, go to ‘System’ then ‘Tags‘

Here you can see the blank screen that allows you to define you selections.

Here you can see the ‘Location’. I opted for IDF (Intermediate Distribution Frame) and MDF (Main Distribution Frame) locations. However, as stated before, you can use anything you like.

Now ‘Networks’ which tell you what type of network element it is (e.g. Security Cameras, AV, Servers, etc)

Manager is the next section. This is useful to identify devices and networks that belong to Police Department, Fire Department, Water and Sewage etc. It can identify who needs to be contacted in case something is identified.

Now we will start tagging devices. Here we can see a PS4. I have tagged it with the ‘Location’ of ‘IDF3-South’ as well as the ‘Manager’ which in my example is ‘Manny’

Next we see my MacBook Pro. On this one, I have identified it as being in the MDF and managed by me.

Now for the interesting part. Under ‘Security Fabric’ you can see your devices on the LANs as well as your access layer devices (switches and APs).

You will be able to hover over a device and it will not only show you the AD Avatar for the user logged into the device, the MAC address(s) of the device, the physical port and switch it is plugged into, or the Wireless Access Point & SSID, Vulnerabilities, Bytes used, Sessions, and tags.

That is a wrap for ‘Tagging’ on FortiOS 6.x. Hopefully Fortinet will continue to enhance the tagging capabilities of FortiOS.

Hope this helps

Using Tags on the Fortigate Firewall

Recent posts