FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kiri
Staff
Staff
Article Id 230866
Description This article describes why the group order on the same firewall policy and the SSL VPN auth rules order has no bearing on the auth process.
Even if it seems like a group on the same firewall policy and SSL VPN auth rules can be set in a particular order, this has no bearing in determining the group.
If a user can match multiple groups and there is no way to differentiate it, group order/SSL VPN auth rules order will not have any bearing.
Scope FortiGate 6.X, 7.X.
Solution

The order is not designed to have a bearing on selecting one group over the other in the auth process.
For this specific case, the best way to determine which group should be selected is to:


1) Differentiate this user that can match more groups by using source/dest or other parameters.
2) Split the firewall policy with multiple groups in multiple policies with a single group.
3) Use SSL VPN realms.

Contributors