diff --git a/fast/stages/2-networking/factory-firewall-policies.tf b/fast/stages/2-networking/factory-firewall-policies.tf
index 3df976fde..be047a126 100644
--- a/fast/stages/2-networking/factory-firewall-policies.tf
+++ b/fast/stages/2-networking/factory-firewall-policies.tf
@@ -49,5 +49,6 @@ module "firewall_policies" {
   context = {
     folder_ids       = local.ctx_folders
     cidr_ranges_sets = local.ctx.cidr_ranges_sets
+    tag_values       = local.ctx.tag_values
   }
 }
diff --git a/modules/net-firewall-policy/README.md b/modules/net-firewall-policy/README.md
index fbc0ff4dd..1f1ed7806 100644
--- a/modules/net-firewall-policy/README.md
+++ b/modules/net-firewall-policy/README.md
@@ -329,7 +329,7 @@ rule-name:
   enable_logging:
   security_profile_group: # Not for Regional policies
   target_service_accounts: []
-  target_tags: [] # Not for Hierarchical policies
+  target_tags: []
   target_resources: [] # For Hierarchical policies only
   tls_inspect: # Not for Regional policies
   match:
diff --git a/modules/net-firewall-policy/hierarchical.tf b/modules/net-firewall-policy/hierarchical.tf
index 9edf559cc..c5ea9dcfd 100644
--- a/modules/net-firewall-policy/hierarchical.tf
+++ b/modules/net-firewall-policy/hierarchical.tf
@@ -124,4 +124,16 @@ resource "google_compute_firewall_policy_rule" "hierarchical" {
       }
     }
   }
+  dynamic "target_secure_tags" {
+    for_each = toset(
+      local.rules[each.key].target_tags == null
+      ? []
+      : local.rules[each.key].target_tags
+    )
+    content {
+      name = lookup(
+        local.ctx.tag_values, target_secure_tags.value, target_secure_tags.value
+      )
+    }
+  }
 }