Hello,

I’m working on a project where FortiGate is integrated with Active Directory using FSSO. I’ve successfully retrieved AD groups such as Basic-Access,Whatsapp-Access, and Anydesk-Access.

Requirement:

• Users in the Basic-Access group should have basic internet access (with restrictions such as blocking social media,whatsapp,youtube).

• If a user is also part of Whatsapp-Access (in addition to Basic-Access), they should retain the Basic-Access permissions but also gain the ability to use WhatsApp.

• The client wants full control from AD, so we should only add/remove users from groups without making changes on the firewall.

Issue I’m facing:
The problem comes down to policy order.

• If I place the Whatsapp-Access policy above Basic-Access, a user in both groups only matches the Whatsapp policy and ends up with WhatsApp only (all other traffic blocked).

• If I reverse the order, then the Whatsapp policy is never hit, and the user only gets Basic-Access.

So effectively, the firewall only applies the first matching policy and ignores the next, which prevents combining permissions.

Question:
How can I design this so that a user keeps Web-Access permissions while also gaining additional access (like WhatsApp) when added to another AD group?

• Is this achievable with identity-based policies?

• Or is there another recommended design approach for this use case?

For reference, current setup:

• Basic-Access Policy: All services allowed except Social Media, Audio & Video, WebChat(whatsapp) using web filter.

• Whatsapp-Access Policy: Web filter and Application Control blocks everything except “WebChat(Whatsapp)”