I want to apply an UTM profile not to all my users. So I want to create two groups of addresses: One for the users on whom UTM profile are applied and the other group is for users that havn't any restriction. My question is: is it possible with the fortigate 60D to create a group (source addresses) that contains random addresses; I mean not in a range? because I don't want to make a policy for each address.
for example : 192.168.10.20, 192.168.10.100, 192.168.10.200 are not allowed to visit all websites while 192.168.10.10, 192.168.10.99 and 192.168.10.101 do?
yes of course with forti you can do whatever you want except coffee cocking :)
create for each entry a host object based on a /32 which means 1 address and all this entry you can move to a address group. With this group you create a policy. All can be done over the gui. Over the CLI this means:
config firewall address
edit [name of the object]
set subnet [IPv4 address like for one address this means 192.168.1.1/32
config firewall addrgrp
edit [name of the group]
set member [Name of the object under "config firewall address"] [Name of the next object] [next one] etc.
Yes its possible to use host specific firewall entries with a /32 mask but that means you have to set static addresses on your devices (or reserve in DHCP). The strength of Fortinet is its user/device authentication so go device or use FSSO and then any user can log into any device.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.