Technical Tip: Creating policies using well-known MAC address list in ISDB
Description
This article describes how to create policies using well well-known MAC address list available in ISDB.
Scope
FortiGate.
Solution
ISDB includes well-known vendor MAC address range lists.
The lists can only be used for source MAC addresses in IPv4 policies, and include the vendor name and the MAC address ranges that the vendor belongs to.
- MAC address options and information:
- MAC address vendor options.
diagnose vendor-mac ?
id Vendor MAC ID.
id-summary Vendor MAC ID summary.
info MAC Address information.
match Find Vendor MAC for a specific MAC address and mask.
- To view the vendor list.
diagnose vendor-mac id
Please input Vendor MAC ID.
ID: 1 name: "Asus"
ID: 2 name: "Acer"
ID: 3 name: "Amazon"
ID: 4 name: "Apple"
ID: 5 name: "Xiaomi"
ID: 6 name: "BlackBerry"
ID: 7 name: "Canon"
ID: 8 name: "Cisco"
ID: 9 name: "Linksys"
ID: 10 name: "D-Link"
ID: 11 name: "Dell"
ID: 12 name: "Ericsson"
ID: 13 name: "LG"
ID: 14 name: "Fujitsu"
ID: 15 name: "Fitbit"
ID: 16 name: "Fortinet"
ID: 17 name: "OPPO"
ID: 18 name: "Hitachi"
ID: 19 name: "HTC"
ID: 20 name: "Huawei"
ID: 21 name: "HP"
ID: 22 name: "IBM"
ID: 23 name: "Juniper"
ID: 24 name: "Lenovo"
ID: 25 name: "Microsoft"
ID: 26 name: "Motorola"
ID: 27 name: "Netgear"
ID: 28 name: "Nokia"
ID: 29 name: "Nintendo"
ID: 30 name: "PaloAltoNetworks"
ID: 31 name: "Polycom"
ID: 32 name: "Samsung"
ID: 33 name: "Sharp"
ID: 34 name: "Sony"
ID: 35 name: "Toshiba"
ID: 36 name: "VMware"
ID: 37 name: "Vivo"
ID: 38 name: "Zyxel"
ID: 39 name: "ZTE"
- To view the MAC address ranges for a vendor.
diagnose vendor-mac id 16
Vendor MAC: 16(Fortinet)
Version: 0000700021
Timestamp: 201908081432
Number of MAC ranges: 6
00:09:0f:00:00:00 - 00:09:0f:ff:ff:ff
04:d5:90:00:00:00 - 04:d5:90:ff:ff:ff
08:5b:0e:00:00:00 - 08:5b:0e:ff:ff:ff
70:4c:a5:00:00:00 - 70:4c:a5:ff:ff:ff
90:6c:ac:00:00:00 - 90:6c:ac:ff:ff:ff
e8:1c:ba:00:00:00 - e8:1c:ba:ff:ff:ff
- To view the MAC address id-summary.
diagnose vendor-mac id-summary e8:ed:d6:ff:ff:ff
Version: 0000100234
Timestamp: 202409100900
Total number of MAC ranges: 14903
No such vendor id 0
- To query the vendor of a specific MAC address or range.
diagnose vendor-mac match 00:09:0f:ff:ff:ff 48
Vendor MAC: 16(Fortinet), matched num: 1
- To view the MAC address information.
diagnose vendor-mac info 00:09:0f:ff:ff:ff 48
Vendor MAC: 16(Fortinet)
- To query using the name of the vendor.
diagnose vendor-mac id | grep Fortinet
ID: 16 name: "Fortinet"
- To use the vendor ID in a firewall policy.
Configure IPv4 policy with 'src-vendor-mac' and specify the vendor MAC ID.
This option is available only in CLI.
config firewall policy
edit 9
set name "policy_id_9"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set src-vendor-mac 36 16 <----- 36:VMware and 16:Fortinet.
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set nat enable
next
end
Only packets whose source MAC address belongs to Fortinet or VMware are passed by the policy.
Related documents:
FortiOS v7.2.9 Administration Guide - ISDB well-known MAC address list
FortiOS v7.4.4 Administration Guide - ISDB well-known MAC address list
FortiOS v7.6.0 Administration Guide - ISDB well-known MAC address list