Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Using a Device Detection for inbound firewall policy



I wanted to configure selected devices to access the webapplication hosted on my public IP. 


Currently my Incoming rule from WAN - LAN is Source Address - ALL Destination Address - VIP - Service - ALL


I would like to restrict the source from all to selective devices. Is is possible to create a device group and add that group to source address and the same if configured will work as such?

Contributor II

Obviously you're talking about device identification via registered FortiClient, is that correct?

If you will use agent-based detection sure, it will work.

If you will use agentless detection it won't because if you don't have Layer2 visibility of the devices you cannot discriminate them since you will see the MAC Address of the last Layer3 device.


No its not using forticlient. A firewall rule from WAN - LAN to use Device in the source instead of source IP.


Like Alby23 mentionned, you are able to detect devices as long as you have layer2 connectivity to them. It uses mac vendor ID to determine device type. You can't detect devices on the WAN interface, because of the routers between you and them. Your Fortigate cannot know their MAC adresses.

Top Kudoed Authors