Technical Tip: How to create the MAC address based policies in FortiGate IPv4 policy
Description
This article describes how to create the MAC address based policies in IPv4 policy.
Scope
FortiGate.
Solution
Configuration GUI
Note:
These MAC address-type objects can only be used as Source Addresses for firewall policies when the FortiGate is in NAT mode. The MAC address is a link-layer address and it cannot be forwarded to different IP networks. On the other hand, the MAC address type objects can be applied as the source address and destination address for policies in Transparent mode or Virtual Wire Pair interface.
- Screenshot illustrating the creation of the MAC address in the addresses:
Go to Firewall -> Policy & Objects -> Addresses -> Created new -> Address -> Select Type as MAC address
Specify the name and MAC address of the respective users.
- Screenshot illustrating the creation of the firewall policy with the MAC address as source address (Device based policy has been removed from V6.2.0) in order to use the MAC address directly on the IPv4 policy:
Go to Policy & Objects -> IPv4 policy -> Create new -> specify the source address as the MAC address created in the Addresses
To create the address on the CLI:
config firewall address
edit "MAC_based"
set type mac
set start-mac 00:69:72:01:2b:01
set end-mac 00:69:72:01:2b:01
next
end
To create the IPv4 policy in the CLI:
config firewall policy
edit <policy ID>
set name "MAC_Address_policy"
set srcintf "port3"
set dstintf "port1"
set srcaddr "MAC_based" <----- Specify the MAC address created in Addresses.
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
edit <policy ID>
set name "MAC_Address_policy"
set srcintf "port3"
set dstintf "port1"
set srcaddr "MAC_based" <----- Specify the MAC address created in Addresses.
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
Verification of Configuration and troubleshooting:
In order to check if the policy is in effect, initiate the traffic from the client machine and check it on the firewall and on the FortiView.
Note: If traffic is reaching FortiGate from an L3 device, then the L3 device will forward the traffic to FortiGate with its own MAC address. In this case, a MAC-based policy will not work.
Note: If traffic is reaching FortiGate from an L3 device, then the L3 device will forward the traffic to FortiGate with its own MAC address. In this case, a MAC-based policy will not work.
The device's MAC address can be shown under the ARP list:
get system arp
FortiView -> Sources -> Filter with the source IP -> Policies.
The policy ID will identify whether the respective PC is taking the right policy.
Log & Report -> Forward traffic -> Filter the source IP -> Check the current traffic of the client machine.
Screenshot of the forwarded traffic from the client machine:
Related article: