Troubleshooting Group Policies

Troubleshooting steps

After each step, verify whether the policy applies correctly before continuing.

1. Disconnect and reconnect the client to the network. A policy does not apply until the device connects to the network.
2. Navigate to Monitor > Clients and check the Access column to confirm whether the policy is being applied.
   • If the Access column is not visible, select the plus icon to enable it. If the policy is not listed for the client, verify that the client meets the criteria required for the policy to apply.
3. Confirm that a higher-priority policy is not overriding the desired policy. Refer to the Troubleshooting Group policy Priority Conflicts section on this page for more information.
4. If the non-functioning portion of the policy is a content filtering or Layer 7 firewall rule, confirm that the client is not using HTTPS or a proxy. HTTPS or proxy usage can prevent content filtering from working properly.
5. Review the policy to determine whether Blocked Website Categories is set to Override with no categories defined. This setting enforces the network default categories configured under Configure > Content Filtering.
6. If possible, delete the policy and verify whether client behavior changes.
   • Recreate the policy and repeat the previous steps.
7. Create a limited test policy, for example, one that blocks a single website and manually apply the test policy to the client to verify whether any policies work.

If the issue persists, refer to documentation for the affected feature.

Layer 3 firewall rules configured in a group policy are stateless. Configure corresponding rules for return traffic as needed.

Troubleshooting steps

Group policies are applied in the following order, from highest to lowest priority:

1. Manually applied client policies: Policies manually assigned to a specific client on the client details page take the highest priority. This includes allow listing and blocking default rules.
2. Network-wide automatic policies: Policies applied automatically by device type, VLAN, SSID, or similar criteria override network default settings. Manually applied client policies override network-wide automatic policies.
3. Network default settings: Any policy applied to the client overrides network default settings.

For example, a network has a bandwidth limit of 500 Kb/s. A Group policy for iOS devices limits bandwidth to 250 Kb/s. As a result, all iPhones connecting to the network are capped at 250 Kb/s.

A second Group policy with an unlimited bandwidth setting is manually applied to a specific user's iPhone. Because manually assigned policies have the highest priority, the user's iPhone has no bandwidth limit.

If two policies apply to the same client but do not conflict, for example, policy A affects only bandwidth and policy B affects only content filtering, both policies apply without issue.

If you use Active Directory to map groups to policies, only the first matching policy applies to the user.

Troubleshooting steps

Refer to the following articles for full instructions on how to block and allow list devices:

• Block Listing and Allow Listing Clients
• Creating and Applying Group policies

Troubleshooting steps

A client-specific Group policy overrides settings applied by a network-wide policy. Refer to the Troubleshooting group policy priority conflicts section on this page for more information.

To restore default network settings for a client affected by a network-wide Group policy:

1. Create a generic Group policy that uses network default settings for all options.
2. Following the instructions in Applying to a device manually, manually assign the client to the new generic policy.

The manually assigned policy overrides the network-wide policy and restores default network settings for the client.