Fortinet black logo

EMS Administration Guide

Managing endpoint policy priority levels

Managing endpoint policy priority levels

An endpoint may be eligible for multiple endpoint policies. When an endpoint is eligible for multiple endpoint policies, the following factors determine which endpoint policy EMS applies to the endpoint:

  1. EMS only applies endpoint policies to endpoints if they are enabled on the Endpoint Policy & Components Manage Policies page.
  2. If an endpoint is eligible for multiple enabled endpoint policies, EMS determines which policy to apply using the following order:
    1. If there is a policy directly assigned to the user (configured in the Users field for the endpoint policy), EMS assigns that policy to the endpoint.
    2. If there are policies assigned to the group container and/or user group, EMS assigns the policy with the highest priority level to the endpoint.
    3. If there are inherited policies for group container and/or user group (policies assigned to a parent container or group), EMS assigns the policy with the highest priority level to the endpoint.
To change endpoint policy priority levels:
  1. Go to Endpoint Policy & Components Manage Policies.
  2. Click Change Priority.
  3. Click and hold the policy name, then drag to the desired position.

  4. Click Save Priority.

In the examples, there are three endpoint policies:

Name

Endpoint groups

Priority level

Seattle_general

All Groups/Seattle

1

SF_general

All Groups/SF

2

Seattle_HR

All Groups/Seattle/HR

3

In this example, all three policies are enabled. The All Groups/Seattle/HR subgroup is eligible for both the Seattle_general and Seattle_HR policies. In this scenario, EMS applies the first eligible endpoint policy, Seattle_general, to the All Groups/Seattle/HR subgroup.

In this example, the Seattle_general endpoint policy has been disabled. The All Groups/Seattle/HR group is still eligible for both policies. Since the Seattle_general policy is disabled, EMS applies Seattle_HR to the All Groups/Seattle/HR group.

Consider that you then make the following changes:

  • Enable Seattle_general
  • Move policies so that they have the following priorities:
    • SF_general: 1
    • Seattle_HR: 2
    • Seattle_general: 3

In this example, the All Groups/Seattle/HR group is eligible for two policies: Seattle_HR and Seattle_general. Since Seattle_HR comes before Seattle_general in the priority list, EMS applies Seattle_HR to All Groups/Seattle/HR.

Even though SF_general is set to priority 1, EMS does not apply it to All Groups/Seattle/HR, since All Groups/Seattle/HR is not eligible for that policy.

Managing endpoint policy priority levels

An endpoint may be eligible for multiple endpoint policies. When an endpoint is eligible for multiple endpoint policies, the following factors determine which endpoint policy EMS applies to the endpoint:

  1. EMS only applies endpoint policies to endpoints if they are enabled on the Endpoint Policy & Components Manage Policies page.
  2. If an endpoint is eligible for multiple enabled endpoint policies, EMS determines which policy to apply using the following order:
    1. If there is a policy directly assigned to the user (configured in the Users field for the endpoint policy), EMS assigns that policy to the endpoint.
    2. If there are policies assigned to the group container and/or user group, EMS assigns the policy with the highest priority level to the endpoint.
    3. If there are inherited policies for group container and/or user group (policies assigned to a parent container or group), EMS assigns the policy with the highest priority level to the endpoint.
To change endpoint policy priority levels:
  1. Go to Endpoint Policy & Components Manage Policies.
  2. Click Change Priority.
  3. Click and hold the policy name, then drag to the desired position.

  4. Click Save Priority.

In the examples, there are three endpoint policies:

Name

Endpoint groups

Priority level

Seattle_general

All Groups/Seattle

1

SF_general

All Groups/SF

2

Seattle_HR

All Groups/Seattle/HR

3

In this example, all three policies are enabled. The All Groups/Seattle/HR subgroup is eligible for both the Seattle_general and Seattle_HR policies. In this scenario, EMS applies the first eligible endpoint policy, Seattle_general, to the All Groups/Seattle/HR subgroup.

In this example, the Seattle_general endpoint policy has been disabled. The All Groups/Seattle/HR group is still eligible for both policies. Since the Seattle_general policy is disabled, EMS applies Seattle_HR to the All Groups/Seattle/HR group.

Consider that you then make the following changes:

  • Enable Seattle_general
  • Move policies so that they have the following priorities:
    • SF_general: 1
    • Seattle_HR: 2
    • Seattle_general: 3

In this example, the All Groups/Seattle/HR group is eligible for two policies: Seattle_HR and Seattle_general. Since Seattle_HR comes before Seattle_general in the priority list, EMS applies Seattle_HR to All Groups/Seattle/HR.

Even though SF_general is set to priority 1, EMS does not apply it to All Groups/Seattle/HR, since All Groups/Seattle/HR is not eligible for that policy.