Web Filter precedence with membership to multiple groups

McWoodley · ‎05-07-2014

Hi all, I looked through the forum and searched but couldn' t find anything on this topic. I am going to be setting up web filtering based off of active directory group membership. This will be on a Fortigate 100D running v5.0,build4429 What I need to know is how group membership will be treated. Will it be the most restrictive or the most permissive. I need to know how I should approach setting up policies. A new default policy that is very restrictive and then groups to allow access. Or a liberal policy then restrict based on groups. What happens if the user is a member of multiple groups, does the most permissive setting applied or the most restrictive? Thanks!

HA · ‎05-09-2014

Hello, What I mean is very simple... What if a user is member of two groups ? Regards, HA

romanr · ‎05-10-2014

What if a user is member of two groups ?

The first matching rule (group) will decide which profile is being used. Within an authentication policy there is also an order of the rules... lets say group A - Webfilter Profile A group B - Webfilter Profile B group C - Webfilter Profile C If a user is in all groups - the Webfilter Profile A is being used. If the user is in group B+C -> WF Profilte B is being used and so on... Therefore you need to take care, that groups with more access rights sit on top of your auth policy.

I have also verified with support that only singular group membership is supported.

This is not true! This was with earlier firmware - But actual software allows you to have users in multiple groups!

Web Filter precedence with membership to multiple groups

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website