FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff
Article Id 195304

Description

 

This article describes that in a DHCP environment if the user wants to allow/block (control) a few users, this is possible via MAC Reservation + Access Control.

 

Scope

 

FortiGate.

Solution

 

A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server.

A MAC Address ACL functions is either a list of blocked devices or a list of allowed devices. This is determined by the 'Unknown MAC Address' entry.

  • By default, the ACL is a list of blocked devices. The 'Unknown MAC Address entry' Action is 'Assign IP'. Add an entry for each MAC address wanted to block and set its Action to 'Block'.
  •  To let the ACL allow only a limited set of devices, set the 'Unknown MAC Address entry' to 'Block'. Then, add the MAC address of each allowed device. Set Action to 'Assign IP'.
  •  Reserve the IP for the particular MAC address is also possible so that every time that MAC address will get that particular reserved IP

 

Steps to create via MAC Reservation + Access Control.
Go to Network -> Interface -> edit the Interface -> DHCP server -> Advanced.

 

 
 

Available actions:

  1. Reserve IP: It will reserve the Particular IP for the defined MAC. Make sure to assign the IP from the DHCP range.
  2. Assign IP: That MAC address will get an IP from the set DHCP range.
  3. Block: This will block the DHCP from assigning any IP for that MAC.

 

One option is available: 'Unknown MAC Address', this option is used in case the MAC address is unknown and for setting an action for all those 'Unknown MAC Address'.

  • Action for 'Unknown MAC Address' as 'Assign IP' or 'Block IP' can be set (recommendation will be to set the action as block IP).

 

Type :
Regular = Use this for regular LAN users.
IPsec = Use for the IPsec client to site users.

 

On v7.2.x option 'MAC Reservation' looks like as per the snippet below:


Capture123.PNG

 

Create an IP address assignment rule to block, reserve, or assign IP using the MAC address.

 

Capture-1.PNG

 

This will block the MAC address to receive IP from the DHCP Pool:

 

Capture-2.PNG

 

To configure via CLI:


config system dhcp server

    edit 2 <----- ID number assigned.

        config reserved-address

            edit 0 <----- New entry.

                set ip 10.5.16.1 <----- IP address.

                set mac aa:bb:cc:dd:ee:ff <----- Mac address.

                set action ** (assign, block, reserved)

            next

        end

    next

end

 

Related articles

Technical Tip: Blocking a MAC address in FortiGate using a Firewall Policy
Technical Note : Configuring MAC address filtering on a FortiGate - IP/MAC binding

Technical Tip : How to Block Unknown MAC Addresses without assigning IP addresses in DHCP