Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mylouch
New Contributor

different source address

Hello everybody, 

I want to apply an UTM profile not to all my users. So I want to create two groups of addresses: One for the users on whom UTM profile are applied and the other group is for users that havn't any restriction. My question is: is it possible with the fortigate 60D to create a group (source addresses) that contains random addresses; I mean not in a range? because I don't want to make a policy for each address.

for example : 192.168.10.20, 192.168.10.100, 192.168.10.200 are not allowed to visit all websites while 192.168.10.10, 192.168.10.99 and 192.168.10.101 do?  

thank you

3 REPLIES 3
AndreaSoliva
Contributor III

Hi

 

yes of course with forti you can do whatever you want except coffee cocking :)

 

create for each entry a host object based on a /32 which means 1 address and all this entry you can move to a address group. With this group you create a policy. All can be done over the gui. Over the CLI this means:

 

config firewall address

edit [name of the object]

set subnet [IPv4 address like for one address this means 192.168.1.1/32

end

 

config firewall  addrgrp

edit [name of the group]

set member [Name of the object under "config firewall address"] [Name of the next object] [next one] etc.

end

 

Thats it....

 

have fun

 

Andrea

 

Bromont_FTNT
Staff
Staff

 

You may also want to try Device Type (MAC ID), you can create device definitions and device groups under User&Device --> Device.

obfuscated
New Contributor II

 

 

Yes its possible to use host specific firewall entries with a /32 mask but that means you have to set static addresses on your devices (or reserve in DHCP).  The strength of Fortinet is its user/device authentication so go device or use FSSO and then any user can log into any device.