Hot!One address, address group, or Internet service is required error when Setting up MAC base

Author
tamilpol
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/09 06:36:01
  • Status: offline
2020/09/10 01:00:44 (permalink)
0

One address, address group, or Internet service is required error when Setting up MAC base

Hello all,
I am trying to set up MAC based policy access in which only the computers(3 pcs) from my room should have access to all other computers and servers in whole appartment.
I have added the computers based on MAC address to device inventory.
But when I try to create a policy based on MAC  Iam getting this error
 
One address, address group, or Internet service is required
 
But when I add a subnet with the PCs the error goes away. But I dont want the subnet to have all access. Only the computers with MAC address should have access
 
PS: I have researched about the changes in FortiOS 6.2 . But you can still do MAC based policy directly on IPv4 policy pages.
Thank you so much for help and advices in advance
#1

3 Replies Related Threads

    lobstercreed
    Gold Member
    • Total Posts : 292
    • Scores: 35
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: One address, address group, or Internet service is required error when Setting up MAC 2020/09/10 03:31:52 (permalink)
    0
    What you left out is what version you're running.  Based on the error you're getting, I assume you are running something prior to 6.2 (i.e. 6.0.x, 5.6.x, etc).
     
    Prior to 6.2, a MAC-based policy uses AND logic with the source address(es) and the source MAC address(es) you specify.  So when you add the subnet, you're saying IF the source IP matches AND the source MAC address matches, then this is applicable. 
     
    It's not opening it up to the entire subnet....that would only happen if you REMOVED the MAC address(es) from the source definition in the policy. 
     
    Feel free to test it out and prove it for yourself (try using a different MAC address to match that policy).
    #2
    lobstercreed
    Gold Member
    • Total Posts : 292
    • Scores: 35
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: One address, address group, or Internet service is required error when Setting up MAC 2020/09/10 03:33:44 (permalink)
    0
    Oh, and in 6.2 and later, devices (i.e. MAC addresses) aren't a thing.  They become address objects of a special type and can be used by themselves in a policy (what you were trying to do) where they would apply to ANY source IP address that matches that MAC address.
     
    This was a HUGE pain in the butt for me when we moved from 6.0.9 to 6.2.x (and ultimately 6.4.x).  I was using a ton of MAC address policies and had to rewrite the logic for them because suddenly my source IP and source MAC addresses were now using OR logic and traffic would match on either one.  I had to go in and remove the IP address objects from all my MAC address policies.
    post edited by lobstercreed - 2020/09/10 03:35:41
    #3
    tamilpol
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/09/09 06:36:01
    • Status: offline
    Re: One address, address group, or Internet service is required error when Setting up MAC 2020/09/10 05:31:25 (permalink)
    0
    yes, You are correct. I have tried by adding both source address and Mac address It worked like a charm. Thanks mate . you are awesome
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5