Blocking mac addresses on a non-wireless network | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Cookbook, KB

Mark Thread UnreadFlat Reading Mode ❐

Blocking mac addresses on a non-wireless network

Author Post Essentials Only Full Version
AndrePerez New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2019/02/12 07:25:43 Status: offline 2019/02/12 08:46:02 (permalink) 6.0 0 Blocking mac addresses on a non-wireless network Hi! I have a Fortigate 30E running version 6.0.4 and have a physical cabled network where I need to permit traffic from a custom LAN (hardware switch ports 3 and 4) to WAN only for authorized MAC Addresses. I tried to setup MAC Reservation + Access Control, using options assign IP to a MAC Address, reserve IP and leaving the unknown MAC Addresses with block, but if some user sets the IP manually it can have access allowed to internet. Can someone help me to achieve this? Best regards #1 4 Replies Related Threads
lobstercreed Silver Member Total Posts : 83 Scores: 15 Reward points: 0 Joined: 2018/11/28 14:57:58 Location: Sedalia, MO Status: offline Re: Blocking mac addresses on a non-wireless network 2019/02/12 10:54:04 (permalink) 0 Hi Andre, Yes, this is fairly easy. You need to use device objects in your outbound firewall policies. Under User & Device > Device Inventory you should be able to see all devices connected on that custom LAN (if not, you need to enable Device Detection under the Interface configuration). Create custom objects for each authorized device and then you can use them in your firewall policies. You can also add them to a group (i.e. AuthorizedDevices) and use that device group in your firewall policies. That way whenever authorized devices are added or removed all you have to do is change group membership. Let me know if you have any more questions about this. - Daniel #2
AndrePerez New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2019/02/12 07:25:43 Status: offline Re: Blocking mac addresses on a non-wireless network 2019/02/12 11:02:57 (permalink) 0 Hi Daniel, Thanks for you quick answer. I created a custom object based on mac address, but when I add it as a source on an IPv4 policy, there is a message: "One address, address group, or Internet service is required". Thanks #3
lobstercreed Silver Member Total Posts : 83 Scores: 15 Reward points: 0 Joined: 2018/11/28 14:57:58 Location: Sedalia, MO Status: offline Re: Blocking mac addresses on a non-wireless network 2019/02/12 12:14:44 (permalink) 0 Hi Andre, Yes, I was assuming you already had a policy allowing traffic from this LAN to the Internet since you said users can statically assign IPs and get out. You need to add the device group to this policy. This should work even if you're using the "all" address object, but best practice would be to have a custom address object for that subnet used in the policy. Does that make sense? It's AND logic. Does your source address match this address object? If no, this policy is not a match (even if your device is in the device group). If yes, does your device (i.e. MAC address) also match this device group? If no, this policy is not a match. - Daniel #4
AndrePerez New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2019/02/12 07:25:43 Status: offline Re: Blocking mac addresses on a non-wireless network 2019/02/18 06:29:31 (permalink) 0 Hi and sorry by the delay. It worked as lobstercreed suggested. Thank you! #5

Jump to:

© 2019 APG vNext Commercial Version 5.5