Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

New to FG-90D; Assigning specific IP/IP Group to access certain sites



Dear support,

Using FG-90D, how do i assign either specific IP or Group-of IPs  having access to facebook?

Please help.

Thank you.





and welcome to the forums.


The forums are a self-help platform from users and partners, run in their spare time, for exchange of experience and practices. If you expect the Fortinet support to help you, this is not the right place. With a valid support contract FTNT is obliged to assist you. Open a ticket at .


Anyhow, we would like to give you hints but I would ask you to supply more information. What are you planning to achieve? Are you talking about source addresses, destination addresses, NAT, ...? How is the application FB related to the problem?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!


Dear Ede,

a) Overall security policy blocks all social-sites.

b) for specific business need, i need certain user/users to have access to FB site.

Ques: How do i do that in FG-90D as i wish to have a Group setting and no need to add policy an IP at a time.

     if there is a better way, hope you can advice.

Thank you.


Let's assume your FGT is running FOS v5.2 or v5.4 - please specify.


Use a policy with authentication! If you create a regular security policy, with source and destination addresses, service etc. from 'internal' to 'wan' then just add a (already configured) user group to 'source address'. Now, users have to first authenticate against the FGT and are then allowed to send traffic across that policy.

If the number of users is small, say up to 20 users, you can create local user accounts on the FGT. Or create remote authentication via MSAD/LDAP.

If you don't like that idea you could authenticate via the device ID. For that, device detection has to be enabled on the 'internal' interface. The disadvantage of this is that permission is tied to hardware, not knowledge.


You find all of this, concepts and examples, in the 'FortiOS Handbook' for your version, from Read into it to get inspired how these scenarios are handled with a FGT.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!

I'm not a sales person from FTNT but to identify all social-sites, which might keep changing, you need to have Fortiguard Web filtering service as mentioned in the cookbook.


New Contributor III

You could also do a combination of a web filtering profile + Application Sensor (and CASI depending on which FortiOS version you are running) to allow access to Social Networking as a category and restrict access to specific social network sites via the Application sensor and CASI profile. I've even used these to restrict access to specific features within the social networking to make them read only (i.e. block posting, chat, and file upload).


Hope that helps


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors