Thanks for the response Dave. Seems I can't hotlink images from my google drive so'll I just share the link/album
So I'm sure I don't need to explain the pics to you lol but just so you can better understand. We're migrating from an old Juniper firewall to the 300E. While on the Juniper we managed access to the internet/sites by issuing static ips to the workstations. It was the plan to do away with the static ips once we moved to the 300E as I previously did successfully using custom device groups on our 80E's.
So to give users internet access during the migration I simply created the "Juniper Level 1" policy in which the source group is a range of ips (labelled "Juniper 93-94") which provided internet access on the juniper. Great all users who had internet before still have internet.
Part two of the plan was, as we remove the static ips's from workstations we would simultaneously create a "custom device" for the workstation and add it to the "custom device group" in this case "level 1" and they would then simply match/comeover to the top policy "level 1".
But every time I had a custom group or device, the policy is simple bypassed. If I remove the custom group/device it matches as you can see by the traffic...
So I figured it out. So i'm by no means a fortigate expert so I'm sure most people know this but turns out the problems was the workstations and fortigate need to communicate with each other directly. Our workstations have a static ip/gateway for a old device and we simply created another route from that device to the forigate. But the clients need to have the proper fortigate gateway applied for fortigate to do its stuff. Thanks for the assistance :)
post edited by gigakun - 2019/11/06 14:12:22