All other users/groups should be set to “bugger off”, but this is no option here. I have to select a portal which then might or might not be available to “all other users”.
Can someone shine some light on this for me please?
The wording isn’t the best but it means all users not defined above, that is not explicitly mapped to a specific portal if you use multiple. The only users / groups which may authenticate to your VPN are those included in the policies. This setting does not trump that.
This has already been answered, so just a small addition.
CLI has a much better name for the option: “default-portal”.
I usually create an ssl portal that has neither tunnel nor web mode enabled and call it dead zone then assign that to the all other users.
To avoid mistakes I create a new portal named „no-access“ and de-select tunnel and web mode. Makes sure no invalid user accudently gets easy access.
Ah okay, great. Thanks for the explanation, very clear now!
Interesting to have such different naming, but this name would not have helped me understand what it is about. default-portal-for-policy-users would, but I see why this name was not chosen. Cli parameters have to be short, like config-error-log-read!
I used to do that because of the scary wording. But it was not possible to create a portal with neither web nor tunnel, at least in some os versions. Knowing how this actually works helps to avoid doing this 
I do something similar but call it “client-download” and the only access it has it do download the FortiClient.
I just point it to a portal that doesn’t have anything configured Just to be sure nobody can access it “accidentally”
And why not having a little help icon describing it so that people understand?
And by that I do NOT mean “This setting let’s you set the portal for all other users/groups”
I guess I’ll have some Configs in the future that only feature the default mapping…
lol for describing Fortinet standard documentation 
I think the most important piece of information that often eludes people is that access to SSL-VPN login is primarily controlled by which users/groups you include in SSL-VPN firewall policies. If that were declared someplace visible in the SSL-VPN page, that would probably help with understanding the “all others” option.