FortiGate 90E and Webfilterting using FSSO not working

Hello All,

I am having an issue with a Fortigate 90E I am setting up with web filtering policy's based on users AD groups. The groups are made on the fortigate set to FSSO and referencing Active Directory user groups

There are 4 policies for LAN to WAN1.

Policy 1 in the sequence is  LAN to WAN1 with a user group for blocked users and a webfilter set to block all with a number of exceptions.

Policy 2 is a restricted setup with a FSSO user group for restricted users and webfilter

Policy 3 is a Full internet access FSSO group and web filter

Policy 4 is a catchall for unauthenticated devices or users not in the above groups

At the moment there is no users in the groups so they should be filtering down to the catch all policy. However when the policies are turned on, all traffic hits policy1 regardless of security group of the domain user.

FSSO collector is installed on the DC and working.

LDAP is working on both the collector and the Fortigate and reading all user groups the users have access to.

The users get a GPO that turns on Remote registry, Windows firewall allowances, Cert for the firewall for SSL inspection and Interactive logon to reauth on the domain at unlocks of the workstations.

This is working on two other sites of this companies but they are both D models (a 90, 90 cluster Edge and 300D Core cluster) But on this new 90E all traffic hits the first policy regardless of Groups. If I move the policy order around, again traffic uses the first policy in the sequence. Which ever one that might be.