Skip to main content
robinh007
robinh007
Explorer III
April 29, 2025
Solved

MAC based policy not working with L3 switch

  • April 29, 2025
  • 2 replies
  • 965 views

Hi,

 

We have two firewalls located in different locations: Firewall A and Firewall B. Both setups include an L3 device positioned between the LAN and the firewall.

 

In Firewall A, the relevant subnet appears as directly connected, whereas in Firewall B, the subnet is marked as statically connected. This indicates that in the Firewall B setup, the switch acts as the gateway, causing the firewall to receive the MAC address of the L3 device instead of the end-user device.

 

However, in the Firewall A network, even with the L3 setup, the firewall acts as the gateway for the subnet, enabling it to detect actual client MAC addresses and enforce MAC-based policies.

 

Consequently, MAC-based policies do not function in the Firewall B setup because the L3 device serves as the gateway. In contrast, these policies work in the Firewall A setup, where the firewall directly receives the MAC addresses of the client devices.

 

 

FortiGate 

Best answer by ebilcari

I guess in this case it will be easier to mimic the working configuration of site A. I think it should have the switch uplink configured as trunk (multiple tagged VLANs) and in the FGT side it has sub interfaces with the same VLAN ID, like:

sunbinter.PNG

2 replies

ebilcari
Staff
ebilcari
Staff
April 29, 2025

I assume that in the network behind FGT A, even though the hosts are connected to an L3 switch, the switch might be configured to extend the VLAN of the relevant hosts directly to the FGT, which acts as the gateway. On the other hand, FGT B appears to be routing these subnets, which would explain the behavior you're observing.

Emirjon
    robinh007
    robinh007Author
    Explorer III
    April 30, 2025

    @ebilcari  Thank you for the explanation. What steps can be taken in FGT B to address and resolve the issue effectively?

    ebilcari
    Staff
    ebilcariAnswer
    Staff
    April 30, 2025

    I guess in this case it will be easier to mimic the working configuration of site A. I think it should have the switch uplink configured as trunk (multiple tagged VLANs) and in the FGT side it has sub interfaces with the same VLAN ID, like:

    sunbinter.PNG

    Emirjon
      Terms & ConditionsAccessibility statement