Hello Fortinet Community,
I’m working with a FortiGate 100F running FortiOS 7.4.7 (build 2731), and I need to apply specific firewall policies to a subset of internal devices—let’s say a group of VIPs or devices from a specific department like Marketing.
In previous FortiOS versions, we used the “Devices and Groups” feature to group hosts based on IP, MAC, or other identifiers, and then target those groups within policy rules.
I’ve now learned that this feature was removed as of FortiOS 7.0.1, as referenced in this article: :link: Technical Tip - Devices and Groups feature removed
Since that functionality is no longer available, my question is: What is the recommended approach now in FortiOS 7.4.x to dynamically group devices and apply policies?
I would prefer something that does not depend on user-based groups, as my use case is based on endpoint behavior or device identity, not user authentication (e.g., AD or RADIUS).
Any guidance or updated best practices would be really helpful.
Thanks in advance,
Aarón
Hi Aaron
I didn't work with the old "Devices and Groups" feature, but if I understand well you requirement, I think the best, most secure and modern way to manage groups of users/devices is NAC (like FortiNAC).
But in case you already have a sufficient Fortinet stack (FortiGate, FortiSwitch, FortiAP & FortiClient EMS) then you already have a NAC solution with these products.
Both NAC solutions will allow you to manage users/devices at L2 layer.
However if you have only FortiGate then you can still manage devices at L3 layer, by using address groups (IP or MAC), the you can use those address groups in your firewall rules. However this method is less secure, since anyone can impersonate some device just by changing his device's IP or MAC address.
Hi AEK,
Thanks a lot for your advice — I really appreciate it. What I was looking for, though, was something simpler. In the past, there used to be a very versatile feature that allowed me to easily group a phone, a laptop, and an iPad together and grant them VIP access to the network (meaning, without restrictions or protections).
Back then, I didn’t need to bind MAC addresses or create specific IPs. I could just select the devices and group them — that was it. I’m trying to find something similar in the current version.
Best regards,
Aarón
Hi,
One approach you might consider is using a captive portal solution that assigns devices to user groups based on login credentials. While the native “Devices and Groups” feature was removed in FortiOS 7.0.1, you can still achieve dynamic policy assignment by leveraging user identity via captive portal authentication.
You can define specific user profiles (such as VIPs or departments like Marketing). When users connect to the network, they are redirected to a captive portal where they authenticate. Based on their credentials, they are associated with a user group, and you can then apply firewall policies accordingly in FortiGate.
It works well when you want policy decisions based on device or user context without deep backend dependencies - https://help.cloudi-fi.com/hc/en-us/articles/28936913311261
Hi, thanks for sharing this approach. I’ll definitely test it out and see how it impacts the user experience during network connections. I’ll run some tests on my end and let you know how it goes. Thanks again for the idea!
User | Count |
---|---|
2534 | |
1351 | |
795 | |
641 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.