Hot!Blocking mac addresses on a non-wireless network

Author
AndrePerez
New Member
  • Total Posts : 3
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/02/12 07:25:43
  • Status: offline
2019/02/12 08:46:02 (permalink) 6.0
0

Blocking mac addresses on a non-wireless network

Hi! I have a Fortigate 30E running version 6.0.4 and have a physical cabled network where I need to permit traffic from a custom LAN (hardware switch ports 3 and 4) to WAN only for authorized MAC Addresses.
I tried to setup MAC Reservation + Access Control, using options assign IP to a MAC Address, reserve IP and leaving the unknown MAC Addresses with block, but if some user sets the IP manually it can have access allowed to internet.
Can someone help me to achieve this?
 
Best regards
#1

4 Replies Related Threads

    lobstercreed
    Gold Member
    • Total Posts : 131
    • Scores: 21
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Blocking mac addresses on a non-wireless network 2019/02/12 10:54:04 (permalink)
    0
    Hi Andre,
     
    Yes, this is fairly easy.  You need to use device objects in your outbound firewall policies.  Under User & Device > Device Inventory you should be able to see all devices connected on that custom LAN (if not, you need to enable Device Detection under the Interface configuration). 
    Create custom objects for each authorized device and then you can use them in your firewall policies.  You can also add them to a group (i.e. AuthorizedDevices) and use that device group in your firewall policies.  That way whenever authorized devices are added or removed all you have to do is change group membership.
     
    Let me know if you have any more questions about this.  - Daniel
    #2
    AndrePerez
    New Member
    • Total Posts : 3
    • Scores: 2
    • Reward points: 0
    • Joined: 2019/02/12 07:25:43
    • Status: offline
    Re: Blocking mac addresses on a non-wireless network 2019/02/12 11:02:57 (permalink)
    0
    Hi Daniel,
     
    Thanks for you quick answer. I created a custom object based on mac address, but when I add it as a source on an IPv4 policy, there is a message: "One address, address group, or Internet service is required".
     
    Thanks
    #3
    lobstercreed
    Gold Member
    • Total Posts : 131
    • Scores: 21
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Blocking mac addresses on a non-wireless network 2019/02/12 12:14:44 (permalink)
    0
    Hi Andre,
     
    Yes, I was assuming you already had a policy allowing traffic from this LAN to the Internet since you said users can statically assign IPs and get out.  You need to *add* the device group to this policy.  This should work even if you're using the "all" address object, but best practice would be to have a custom address object for that subnet used in the policy.
     
    Does that make sense?  It's AND logic.  Does your source address match this address object?  If no, this policy is not a match (even if your device is in the device group).  If yes, does your device (i.e. MAC address) also match this device group?  If no, this policy is not a match.
     
    - Daniel
     
     
    #4
    AndrePerez
    New Member
    • Total Posts : 3
    • Scores: 2
    • Reward points: 0
    • Joined: 2019/02/12 07:25:43
    • Status: offline
    Re: Blocking mac addresses on a non-wireless network 2019/02/18 06:29:31 (permalink)
    5 (1)
    Hi and sorry by the delay.
    It worked as lobstercreed suggested.
    Thank you!
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5