Support for Active Directory group memberships
Some rules and policies support multiple Active Directory (AD) group memberships for users.
Note
Some rules and policies only support the user's main group in the firewall. To see a user's main group, go to Authentication > Users, click the user, and see the group selected under Group.
For information about how AD users' main group can change and other FAQs, see FAQs for Active Directory users and groups.
Rules and policies
Rules and policies | Support for multiple group membership | Description |
---|---|---|
Firewall rules | Yes | Applies the matching rule's settings to the user groups selected in the rule. Example: User belongs to Group X (main group) and Group Y (other group membership). If the rule with Group Y matches the traffic first, the rule is applied to the user. |
SSL/TLS inspection rules | Yes | Applies the matching rule's settings to the user groups selected in the rule. Example: User belongs to Group X (main group) and Group Y (other group membership). If the rule with Group Y matches the traffic first, the rule is applied to the user. |
WAF rules | No | Only supports the main group. Make sure the main group or the user is configured in the policy. Currently, if it's turned on for any of the user's other groups, the user's policy shows Enable, but users aren't allowed access based on their Other group memberships. |
SD-WAN routes | Yes | Applies the matching route to the user groups selected in the route. Example: User belongs to Group X (main group) and Group Y (other group membership). If the route with Group Y matches the traffic first, the route is applied to the user. |
Web policies | Yes | The firewall rule matches first and selects the web policy to use. The web filter applies the first rule in the web policy rule that matches both the user and the website. Example: User belongs to Group X (main group) and Group Y (other group membership). The user tries to visit a sports website. Web policy rules are in the following order:
The firewall blocks the sports website for the user. |
IPS policies | Yes | Applies the matching rule's IPS policy to the user groups specified in the rule. |
Application control policies | Yes | Applies the matching rule's application control policy to the user groups specified in the firewall rule. |
My policy overrides | No | Only applies to AD users' main group and to individual users. It doesn't apply to their other group memberships. |
Remote access VPN
Remote access VPN | Support for multiple group membership | Description |
---|---|---|
Remote access SSL VPN | Yes | Applies the permissions of all the full and split tunnel remote access SSL VPN policies of the user and the user's groups. If the user or the user's groups are part of full tunnel policies, the firewall always establishes a full tunnel. |
Clientless SSL VPN | Yes | Applies the permissions of all the clientless SSL VPN policies to which any of the user's groups belong. |
L2TP | No | Only supports the main group. Make sure the main group or the user is in the allowed list. Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership. |
PPTP | No | Only supports the main group. Make sure the main group or the user is in the allowed list. Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership. |
Remote access IPsec VPN | No | Only supports the main group. Make sure the main group or the user is in the allowed list. Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership. |
Hotspots and Policy test
Other policies | Support for multiple group membership | Description |
---|---|---|
Hotspots | No | Only supports the user's main group. The user portal shows all the hotspots the main group is part of. |
Policy test | Yes | Supports all the user's groups that match the rules and policies it tests. |
User's policies and other settings
User's policies and other settings | Support for multiple group membership | Description |
---|---|---|
Surfing quota Access time Network traffic Traffic shaping | No | Only supports the user's main group. Alternatively, you can select a different policy for the user. |
Quarantine digest MAC binding | No | Only supports the user's main group. Alternatively, you can select a different setting for the user. |
Sign-in restriction | No | Only supports the user's main group. Alternatively, you can select a different setting for the user. |
Authentication
Setting | Support for multiple group membership | Description |
---|---|---|
Multi-factor authentication (MFA) | No | Only supports the user's main group. Alternatively, you can specifically add the user or apply it to all users. |