Re: Blocking mac addresses on a non-wireless network
Yes, I was assuming you already had a policy allowing traffic from this LAN to the Internet since you said users can statically assign IPs and get out. You need to *add* the device group to this policy. This should work even if you're using the "all" address object, but best practice would be to have a custom address object for that subnet used in the policy.
Does that make sense? It's AND logic. Does your source address match this address object? If no, this policy is not a match (even if your device is in the device group). If yes, does your device (i.e. MAC address) also match this device group? If no, this policy is not a match.