1. Navigate to the DHCP server settings on the desired interface: Go to Network -> Interface, then select Edit on the interface where DHCP is enabled.
2. Expand advanced DHCP settings: Scroll down to the DHCP Server Settings section and expand the Advanced Settings.
3. Add a new IP address assignment rule: Select Create New under the IP Address Assignment Rules section.

4. Configure the MAC-based blocking rule:

• Under Type, select MAC Address.

• In the MAC address field, enter the MAC address of the device to be blocked.

• Under Action type, select Block.

• Select OK to save the rule.

This is how it should look after creating a new IP address assignment rule to block a device using its MAC address:

Using CLI:

Once this rule is created, the device with the specified MAC address will be blocked from obtaining any DHCP lease from the FortiGate DHCP server. This method helps prevent unauthorized or unknown devices from joining the network via automatic IP address assignment.

DHCP debugging can be performed for troubleshooting:

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug app dhcps -1
diagnose debug enable

To stop the debug:

diagnose debug reset

diagnose debug disable