Fortinet Identity-Based Policy Setup – Multiple AD Groups

Hi Zaheer

In the WhatsApp-Access app control profile, you need allow both WhatsApp application and the basic access applications as well. You can duplicate the Basic-Access app ctrl and add WhatsApp allowed as exception.

Thanks @AEK for Response,

 I’ve tried the suggested approach but hit a new challenge.

Current Setup:

• FortiGate integrated with AD via FSSO.

• Groups: Basic-Access, Whatsapp-Access, Anydesk-Access, FB-Access, etc.

• Each group has its own firewall policy with source set to the respective AD group.

• For each “special access” group, I duplicated the Basic-Access WebFilter/AppControl profile and added the specific service/application (e.g., WhatsApp, Anydesk, or Facebook).

Example:

• Allow-Anydesk Policy → Basic-Access + Anydesk allowed.

• Allow-WhatsApp Policy → Basic-Access + WhatsApp allowed.

• Allow-FB Policy → Basic-Access + Facebook allowed.

The Issue:
If a user (e.g., xyz) is added to multiple groups (say, Whatsapp-Access and Anydesk-Access), the firewall only applies the first matching policy in order.

• If Allow-Anydesk policy is on top → user gets Basic + Anydesk, but WhatsApp is still blocked.

• If Allow-Whatsapp is on top → user gets Basic + WhatsApp, but Anydesk is blocked.

So effectively, policies don’t merge permissions — only the first match is applied.

Requirement:
Users should inherit Basic-Access by default and gain cumulative access when they are added to multiple AD groups (e.g., WhatsApp + Anydesk + FB, depending on group membership).

Question:

• Is there a way to combine permissions across multiple identity-based policies instead of being limited to the first match?

• Or is the only option to manually create combined profiles for every possible combination (which doesn’t scale well with many groups)?

• Is there a recommended design pattern to achieve this more cleanly in FortiGate?