Priority Handling in GSA Client Forwarding Profile Rules

Hello,

I would like to provide feedback and propose a functional improvement regarding priority control for forwarding rules in Global Secure Access (GSA).

In our environment, we are using Microsoft Entra Private Access with a combination of CIDR-based rules and FQDN-based rules.

We understand that it is not possible to create Enterprise Applications with overlapping IP address ranges. Based on this limitation, our current operational model is as follows:

• Administrators create Enterprise Applications using CIDR ranges that broadly cover entire datacenter networks.
• Access for application owners to specific servers and ports is defined using FQDN-based rules.

With this type of configuration, when reviewing the list of rules shown in the GSA Client → Forwarding Profile → Rules tab, we can see that each rule is assigned a Priority, and the rules appear to be evaluated sequentially from top to bottom.

From this behavior, it is clear that:

• DNS rules are evaluated first
• Enterprise Application rules are evaluated next
• Quick Access rules are evaluated last

However, between CIDR-based Enterprise Application rules and FQDN-based Enterprise Application rules, there does not appear to be a clear or explicit priority model. Instead, the position — and therefore the evaluation order — seems to depend on the order in which the Enterprise Applications were created.

As a result, even when we intend to apply a more specific FQDN-based rule for a particular host, the broader CIDR-based administrative rule may be evaluated first. In such cases, access can be unintentionally blocked, preventing us from achieving the intended access control behavior.

After understanding this mechanism, we have been working around the issue by carefully controlling the creation order of Enterprise Applications — creating host-specific FQDN-based applications first, followed by broader CIDR-based rules. While this approach avoids the issue, it significantly increases administrative complexity and makes long-term management more difficult.

Based on this experience, we would strongly appreciate enhancements such as:

• The ability to manually control rule evaluation order in the UI, or
• More intelligent and predictable automatic prioritization between FQDN-based and CIDR-based rules

Such improvements would greatly enhance usability, predictability, and maintainability of GSA forwarding rule configurations.

Thank you for considering this feedback.