XG has a "Primary Group". This group is displayed in XG as Primary Group and is used by the GUI etc.
But XG "knows" all groups, which are created in XG itself (imported).
So basically if you have a User (called Bob) in two groups (Admin & User).
First Match will match the Primary Group in the Group tab. 1. Admin 2. User.
Bob will be shown as a Admin in XG.
If you create a Firewall policy (first match) with User Group in it, it will match to Bob aswell.
Unfortunately, there is a bug in XG right now in Policy Tester. Policy Tester will only show matching Group (Primary Group) while XG will use the "real" group.
You can easily test this with the example above.
But do not forget, this will get "REALLY" messy afterwards, if you setup a complex ruleset with multiple groups.
OK than I have to look further for the reason VPN access firewall rules based on AD user groups are not Working. in XG you don’t see the members of a AD group. Log viewer also does not give me the destination IP and reason for blocking.
Everything works with with a general VPN rule allow LAN and any Services and all AD groups thrown together.
However when having three separate more specific firewall rules for:
1 allow RDP, Outlook - specific hosts - VPN users,
2 = allow 1 + SharePoint, Fileserver, ERP - specific hosts - VPN Power users
3= Allow 1 + 2 + server access for VPN administrators,
Than I can’t reach the RDP host anymore for RDP. Log viewer does not give the destination IP or my user as being blocked.
I can Ping the host but it won’t work. Log viewer does not tell me anything I need. It will work again when I enable the general allow all destination on LAN and any services again.
