Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Support for Active Directory group memberships

Some rules and policies support multiple Active Directory (AD) group memberships for users.

Note

Some rules and policies only support the user's main group in the firewall. To see a user's main group, go to Authentication > Users, click the user, and see the group selected under Group.

For information about how AD users' main group can change and other FAQs, see FAQs for Active Directory users and groups.

Rules and policies

Rules and policies Support for multiple group membership Description
Firewall rules Yes

Applies the matching rule's settings to the user groups selected in the rule.

Example: User belongs to Group X (main group) and Group Y (other group membership).

If the rule with Group Y matches the traffic first, the rule is applied to the user.

SSL/TLS inspection rules Yes

Applies the matching rule's settings to the user groups selected in the rule.

Example: User belongs to Group X (main group) and Group Y (other group membership).

If the rule with Group Y matches the traffic first, the rule is applied to the user.

WAF rules No

Only supports the main group. Make sure the main group or the user is configured in the policy.

Currently, if it's turned on for any of the user's other groups, the user's policy shows Enable, but users aren't allowed access based on their Other group memberships.

SD-WAN routes Yes

Applies the matching route to the user groups selected in the route.

Example: User belongs to Group X (main group) and Group Y (other group membership).

If the route with Group Y matches the traffic first, the route is applied to the user.

Web policies Yes

The firewall rule matches first and selects the web policy to use. The web filter applies the first rule in the web policy rule that matches both the user and the website.

Example: User belongs to Group X (main group) and Group Y (other group membership). The user tries to visit a sports website.

Web policy rules are in the following order:

  • Block sports for Group Y.
  • Allow news for Group X.

The firewall blocks the sports website for the user.

IPS policies Yes Applies the matching rule's IPS policy to the user groups specified in the rule.
Application control policies Yes Applies the matching rule's application control policy to the user groups specified in the firewall rule.
My policy overrides No Only applies to AD users' main group and to individual users. It doesn't apply to their other group memberships.

Remote access VPN

Remote access VPN Support for multiple group membership Description
Remote access SSL VPN Yes

Applies the permissions of all the full and split tunnel remote access SSL VPN policies of the user and the user's groups.

If the user or the user's groups are part of full tunnel policies, the firewall always establishes a full tunnel.

Clientless SSL VPN Yes Applies the permissions of all the clientless SSL VPN policies to which any of the user's groups belong.
L2TP No

Only supports the main group. Make sure the main group or the user is in the allowed list.

Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership.

PPTP No

Only supports the main group. Make sure the main group or the user is in the allowed list.

Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership.

Remote access IPsec VPN No

Only supports the main group. Make sure the main group or the user is in the allowed list.

Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership.

Hotspots and Policy test

Other policies Support for multiple group membership Description
Hotspots No

Only supports the user's main group.

The user portal shows all the hotspots the main group is part of.

Policy test Yes Supports all the user's groups that match the rules and policies it tests.

User's policies and other settings

User's policies and other settings Support for multiple group membership Description

Surfing quota

Access time

Network traffic

Traffic shaping

No Only supports the user's main group. Alternatively, you can select a different policy for the user.

Quarantine digest

MAC binding

No Only supports the user's main group. Alternatively, you can select a different setting for the user.
Sign-in restriction No Only supports the user's main group. Alternatively, you can select a different setting for the user.

Authentication

Setting Support for multiple group membership Description
Multi-factor authentication (MFA) No Only supports the user's main group. Alternatively, you can specifically add the user or apply it to all users.