FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sdash_FTNT
Staff
Staff
Description
This article describes controlling access with a MAC Address Access Control List for Interfaces having DHCP enabled.

Solution
A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server.

A MAC Address ACL functions as either a list of blocked devices or a list of allowed devices. This is determined by the "Unknown MAC Address" entry.

 • By default, the ACL is a list of blocked devices. The "Unknown MAC Address entry" Action is "Assign IP". You add an entry for each MAC address that you want to block and set its Action to "Block".

 • If you want the ACL to allow only a limited set of devices, you set the "Unknown MAC Address entry" to "Block". Then, add the MAC address of each allowed device. Set Action to "Assign IP".

Optionally, you can set Action to Reserve and enter the IP address that will always be assigned to the device.

To create a MAC Address ACL to allow only specific devices:

1. Go to the SSID or network interface configuration.
2. In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
3. In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.
4. In the IP or Action column, select one of:
• Assign IP — device is assigned an IP address from the DHCP server address range.
• Reserve IP — device is assigned the IP address that you specify.
5. Repeat Steps 3 and 4 for each additional MAC address entry.
6. Set the Unknown MAC Address entry IP or Action to Block.
7. Select OK.

To create a MAC Address ACL to block specific devices:

1. Go to the SSID or network interface configuration.
2. In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
3. In MAC Reservation + Access Control, select Create New and enter a blocked device’s MAC Address.
4. In the IP or Action column, select Block.
5. Repeat Steps 3 and 4 for each additional MAC address entry.
6. Set the Unknown MAC Address entry IP or Action to Assign IP.
7. Select OK.

Example:

sdash_FD38063_tn_FD38063.jpg 

Contributors