Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff

Created on ‎11-05-2019 01:47 AM Edited on ‎01-14-2025 01:32 AM By Moderator

Article Id 195304

Technical Tip: How to control DHCP user via MAC address

Description

 

This article describes that in a DHCP environment if the user wants to allow/block (control) a few users, this is possible via MAC Reservation + Access Control.

 

Scope

 

FortiGate.

Solution

 

A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server.

A MAC Address ACL functions is either a list of blocked devices or a list of allowed devices. This is determined by the 'Unknown MAC Address' entry.

  • By default, the ACL is a list of blocked devices. The 'Unknown MAC Address entry' Action is 'Assign IP'. Add an entry for each MAC address wanted to block and set its Action to 'Block'.
  •  To let the ACL allow only a limited set of devices, set the 'Unknown MAC Address entry' to 'Block'. Then, add the MAC address of each allowed device. Set Action to 'Assign IP'.
  •  Reserve the IP for the particular MAC address is also possible so that every time that MAC address will get that particular reserved IP

 

Steps to create via MAC Reservation + Access Control.
Go to Network -> Interface -> edit the Interface -> DHCP server -> Advanced.

 

 
 

Available actions:

  1. Reserve IP: It will reserve the Particular IP for the defined MAC. Make sure to assign the IP from the DHCP range.
  2. Assign IP: That MAC address will get an IP from the set DHCP range.
  3. Block: This will block the DHCP from assigning any IP for that MAC.

 

One option is available: 'Unknown MAC Address', this option is used in case the MAC address is unknown and for setting an action for all those 'Unknown MAC Address'.

  • Action for 'Unknown MAC Address' as 'Assign IP' or 'Block IP' can be set (recommendation will be to set the action as block IP).

 

Type :
Regular = Use this for regular LAN users.
IPsec = Use for the IPsec client to site users.

 

On v7.2.x option 'MAC Reservation' looks like as per the snippet below:


Capture123.PNG

 

Create an IP address assignment rule to block, reserve, or assign IP using the MAC address.

 

Capture-1.PNG

 

This will block the MAC address to receive IP from the DHCP Pool:

 

Capture-2.PNG

 

To configure via CLI:


config system dhcp server

    edit 2 <----- ID number assigned.

        config reserved-address

            edit 0 <----- New entry.

                set ip 10.5.16.1 <----- IP address.

                set mac aa:bb:cc:dd:ee:ff <----- Mac address.

                set action ** (assign, block, reserved)

            next

        end

    next

end

 

Related articles

Technical Tip: Blocking a MAC address in FortiGate using a Firewall Policy
Technical Note : Configuring MAC address filtering on a FortiGate - IP/MAC binding

Technical Tip : How to Block Unknown MAC Addresses without assigning IP addresses in DHCP

49496
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.