Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

different source address

Hello everybody, 

I want to apply an UTM profile not to all my users. So I want to create two groups of addresses: One for the users on whom UTM profile are applied and the other group is for users that havn't any restriction. My question is: is it possible with the fortigate 60D to create a group (source addresses) that contains random addresses; I mean not in a range? because I don't want to make a policy for each address.

for example :,, are not allowed to visit all websites while, and do?  

thank you

Contributor III



yes of course with forti you can do whatever you want except coffee cocking :)


create for each entry a host object based on a /32 which means 1 address and all this entry you can move to a address group. With this group you create a policy. All can be done over the gui. Over the CLI this means:


config firewall address

edit [name of the object]

set subnet [IPv4 address like for one address this means



config firewall  addrgrp

edit [name of the group]

set member [Name of the object under "config firewall address"] [Name of the next object] [next one] etc.



Thats it....


have fun






You may also want to try Device Type (MAC ID), you can create device definitions and device groups under User&Device --> Device.

New Contributor II



Yes its possible to use host specific firewall entries with a /32 mask but that means you have to set static addresses on your devices (or reserve in DHCP).  The strength of Fortinet is its user/device authentication so go device or use FSSO and then any user can log into any device.

Top Kudoed Authors