- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How to block MAC Adress
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to block MAC Adress
Hi all,
I've got a problem.
I want to block mac adress of PC in LAN network.
On Fortigate 100E isn't DHCP server.
Forti OS 5.6.4
I created a device with specific mac adress.
I added this device to a device group (blocked macs) , and finally i used this group in IP v4 policy :
[ul]But this not work.
Any ideas ?
THX
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You stated the FortiGate is not the DHCP server, but is it the default gateway for the subnet where the host you want to block resides? If there is any other L3 device between the FortiGate and the blocked host, it simply cannot be done.
What you described cannot be done if: BAD_GUY <--> SOME_ROUTER <--> FGT <--> WAN
What you described should work if: BAD_GUY <--> FGT <--> WAN
However, even in the latter scenario, it will only prevent Internet-bound traffic. It won't truly block the device...i.e. it wouldn't prevent internal traffic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Regi.
Firewall policies are executed from top-to-bottom - have you placed the block device rule somewhere near the top of the firewall list?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You stated the FortiGate is not the DHCP server, but is it the default gateway for the subnet where the host you want to block resides? If there is any other L3 device between the FortiGate and the blocked host, it simply cannot be done.
What you described cannot be done if: BAD_GUY <--> SOME_ROUTER <--> FGT <--> WAN
What you described should work if: BAD_GUY <--> FGT <--> WAN
However, even in the latter scenario, it will only prevent Internet-bound traffic. It won't truly block the device...i.e. it wouldn't prevent internal traffic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Regi.
Firewall policies are executed from top-to-bottom - have you placed the block device rule somewhere near the top of the firewall list?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dave,
Yes, the policy is near top of the tree.
But I think the problem , in this case , is the router beetween BGUY and FGT , how wrote lobstercreed.
Any ideas : how, in this scenario (BGUY - ROUTER - FGT - WAN) , block this guy from any traffic internet and internal?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lobstercreed ,
Thank you for your answer.
I think you are right.
So, have you maybe any ideas, how to block BGUY in this scenario (BAD_GUY <--> SOME_ROUTER <--> FGT <--> WAN) from any traffic (internal, internet) ?
Regards
Regi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Regi,
Unfortunately what you're asking is absolutely not possible to do with the FortiGate using your current topology. This goes back to the fundamentals of network design...I'd recommend refreshing yourself on how Layer 2 (switching) and Layer 3 (routing) devices work.
However, here are some things you CAN do, depending on what else you have in your environment. I'll try to order them from easiest to hardest:
1) Assuming you're running DHCP, make sure that your DHCP server hands the bad guy a specific IP address on each subnet he could connect to. Create address objects in the firewall for those addresses, and use them in your deny policy. This cannot block internal traffic, and the bad guy can get around it by using a different, static IP address, but it could be somewhat effective.
2) Assuming you're using managed switches, use a Layer 2 ACL to block the mac address on all ports. This will vary significantly from vendor to vendor, but most have at least some way to do this. This is really the only way to truly block the bad guy both internally and on the internet. This would really have nothing to do with the FortiGate (unless you're using FortiSwitches also).
3) Change your topology so that the FortiGate IS the default gateway for the subnet(s) where the bad guy may be. This has serious ramifications for your network, especially as it regards how much capacity your FortiGate can handle vs how much inter-VLAN bandwidth you need. If you have sufficient capacity though, this can get you much closer to what you want. We use this design at the school I work at.
However, depending on physical topology again, you may only succeed in blocking the bad guy from accessing the Internet (and/or other parts of your network). Per the principles of layer 2 forwarding, he would still be able to talk to other hosts on the same VLAN through whatever switches you're using unless you're doing additional port security on managed switches like I mentioned in option 2.
I hope that helps. Just remember the MAC address is not visible on the other side of a subnet boundary (i.e. router/default gateway). https://www.quora.com/How-does-the-router-know-the-destination-Mac-address
- Daniel Hamilton
Related Posts
- CLI Script delete Groupmembers 76 Views
- GeoIP Block Not working 163 Views
- Simple explanation enabling the LOGGING of... 184 Views
- IPSec client is blocked by implicit... 400 Views
- Block inside attacks 250 Views
Labels
-
FortiGate
6,511 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.