Fortinet black logo

EMS Administration Guide

Managing group assignment rule priority levels

Managing group assignment rule priority levels

An endpoint may be eligible for multiple group assignment rules. When an endpoint is eligible for multiple endpoint group assignment rules, two factors determine which rule EMS applies to the endpoint:

  1. EMS applies group assignment rules to endpoints only if the rules are enabled on the Endpoints > Group Assignment Rules page.
  2. If an endpoint is eligible for multiple enabled rules, the EMS applies the rule with the first priority level to the endpoint.
To change rule priority levels:
  1. Go to Endpoints > Group Assignment Rules.
  2. Click and hold the rule, then drag to the desired position.

In the example below, consider an endpoint where FortiClient was deployed using the "HQ" installer ID and has an IP address that belongs to the 192.168.0.0/24 subnet. The endpoint applies for two rules. In this case, the endpoint is placed in the HQ group, since the HQ rule has a higher priority level than the 192.168.0.0/24 subnet rule.

However, if you disable the HQ rule, EMS places the endpoint in the West Coast/Seattle group, as per the 192.168.0.0/24 subnet rule.

You can reenable the HQ rule, then change the rule priority levels sot hat the 192.168.0.0/24 rule has priority level 1. In this case, EMS places the endpoint in the West Coast/Seattle group.

Managing group assignment rule priority levels

An endpoint may be eligible for multiple group assignment rules. When an endpoint is eligible for multiple endpoint group assignment rules, two factors determine which rule EMS applies to the endpoint:

  1. EMS applies group assignment rules to endpoints only if the rules are enabled on the Endpoints > Group Assignment Rules page.
  2. If an endpoint is eligible for multiple enabled rules, the EMS applies the rule with the first priority level to the endpoint.
To change rule priority levels:
  1. Go to Endpoints > Group Assignment Rules.
  2. Click and hold the rule, then drag to the desired position.

In the example below, consider an endpoint where FortiClient was deployed using the "HQ" installer ID and has an IP address that belongs to the 192.168.0.0/24 subnet. The endpoint applies for two rules. In this case, the endpoint is placed in the HQ group, since the HQ rule has a higher priority level than the 192.168.0.0/24 subnet rule.

However, if you disable the HQ rule, EMS places the endpoint in the West Coast/Seattle group, as per the 192.168.0.0/24 subnet rule.

You can reenable the HQ rule, then change the rule priority levels sot hat the 192.168.0.0/24 rule has priority level 1. In this case, EMS places the endpoint in the West Coast/Seattle group.