Fortinet white logo
Fortinet white logo

EMS Administration Guide

Managing endpoint policy priority levels

Managing endpoint policy priority levels

An endpoint may be eligible for multiple endpoint policies. When an endpoint is eligible for multiple endpoint policies, two factors determine which endpoint policy EMS applies to the endpoint:

  1. EMS only applies endpoint policies to endpoints if they are enabled on the Endpoint Policy > Manage Policies page.
  2. If an endpoint is eligible for multiple enabled endpoint policies, EMS applies the endpoint policy with the first priority level to the endpoint.
To change endpoint policy priority levels:
  1. Go to Endpoint Policy > Manage Policies.
  2. Click Change Priority.
  3. Click and hold the icon to the left of the policy name, then drag to the desired position.

  4. Click Save Priority.

In the examples below, there are three endpoint policies:

Name

Endpoint groups

Priority level

Seattle_general

All Groups/Seattle

1

SF_general

All Groups/SF

2

Seattle_HR

All Groups/Seattle/HR

3

In this example, all three policies are enabled. The All Groups/Seattle/HR subgroup is eligible for both the Seattle_general and Seattle_HR policies. In this scenario, EMS applies the first eligible endpoint policy, Seattle_general, to the All Groups/Seattle/HR subgroup.

In this example, the Seattle_general endpoint policy has been disabled. The All Groups/Seattle/HR group is still eligible for both policies. Since the Seattle_general policy is disabled, EMS applies Seattle_HR to the All Groups/Seattle/HR group.

Consider that you then make the following changes:

  • Enable Seattle_general
  • Move policies so that they have the following priorities:
    • SF_general: 1
    • Seattle_HR: 2
    • Seattle_general: 3

In this example, the All Groups/Seattle/HR group is eligible for two policies: Seattle_HR and Seattle_general. Since Seattle_HR comes before Seattle_general in the priority list, EMS applies Seattle_HR to All Groups/Seattle/HR.

Even though SF_general is set to priority 1, EMS does not apply it to All Groups/Seattle/HR, since All Groups/Seattle/HR is not eligible for that policy.

Managing endpoint policy priority levels

Managing endpoint policy priority levels

An endpoint may be eligible for multiple endpoint policies. When an endpoint is eligible for multiple endpoint policies, two factors determine which endpoint policy EMS applies to the endpoint:

  1. EMS only applies endpoint policies to endpoints if they are enabled on the Endpoint Policy > Manage Policies page.
  2. If an endpoint is eligible for multiple enabled endpoint policies, EMS applies the endpoint policy with the first priority level to the endpoint.
To change endpoint policy priority levels:
  1. Go to Endpoint Policy > Manage Policies.
  2. Click Change Priority.
  3. Click and hold the icon to the left of the policy name, then drag to the desired position.

  4. Click Save Priority.

In the examples below, there are three endpoint policies:

Name

Endpoint groups

Priority level

Seattle_general

All Groups/Seattle

1

SF_general

All Groups/SF

2

Seattle_HR

All Groups/Seattle/HR

3

In this example, all three policies are enabled. The All Groups/Seattle/HR subgroup is eligible for both the Seattle_general and Seattle_HR policies. In this scenario, EMS applies the first eligible endpoint policy, Seattle_general, to the All Groups/Seattle/HR subgroup.

In this example, the Seattle_general endpoint policy has been disabled. The All Groups/Seattle/HR group is still eligible for both policies. Since the Seattle_general policy is disabled, EMS applies Seattle_HR to the All Groups/Seattle/HR group.

Consider that you then make the following changes:

  • Enable Seattle_general
  • Move policies so that they have the following priorities:
    • SF_general: 1
    • Seattle_HR: 2
    • Seattle_general: 3

In this example, the All Groups/Seattle/HR group is eligible for two policies: Seattle_HR and Seattle_general. Since Seattle_HR comes before Seattle_general in the priority list, EMS applies Seattle_HR to All Groups/Seattle/HR.

Even though SF_general is set to priority 1, EMS does not apply it to All Groups/Seattle/HR, since All Groups/Seattle/HR is not eligible for that policy.