To block unknown MAC addresses without assigning an IP address in DHCP, follow these steps:

1. Enable the DHCP Server: Go to the interface and enable the DHCP server.
2. Access Advanced Options: Navigate to the DHCP server settings and locate the Advanced Options section.
3. Configure IP Address Assignment Rules:
   • Go to the IP Address Assignment Rules section.
   • Locate the Implicit Rule and right-click on it.
   • Set the Action for the implicit rule to Block.
4. Save the Configuration: Apply and save the changes to ensure the new rule is enforced.

This configuration will prevent any device with an unknown MAC address from obtaining an IP address.

It can be edited via CLI:

config system dhcp server
    edit 2
        set mac-acl-default-action block   <----------- Default action is assigned.

end

Related articles: 

Technical Tip: Blocking a MAC address in FortiGate using a Firewall Policy
Technical Note : Configuring MAC address filtering on a FortiGate - IP/MAC binding