FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff
Article Id 195304

Description

 

This article describes that in a DHCP environment if the user wants to allow/block (control) a few users, this is possible via MAC Reservation + Access Control.

 

Scope

 

FortiGate.

Solution

 

A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server.

A MAC Address ACL functions is either a list of blocked devices or a list of allowed devices. This is determined by the 'Unknown MAC Address' entry.

  • By default, the ACL is a list of blocked devices. The "Unknown MAC Address entry" Action is "Assign IP". Add an entry for each MAC address wanted to block and set its Action to "Block".
  •  To let the ACL allowing only a limited set of devices, set the "Unknown MAC Address entry" to "Block". Then, add the MAC address of each allowed device. Set Action to "Assign IP".
  •  Reserve the IP for the particular MAC address is also possible, so that every time that MAC address will get that particular reserved IP

 

Steps to create via MAC Reservation + Access Control.
Go to Network -> Interface -> edit the Interface -> DHCP server ->  Advanced.

 

 
 

Available actions:

  1. Reserve IP: It will reserve the Particular IP for the defined MAC. Make sure to assign the IP from the DHCP range
  2.  Assign IP: That MAC address will get an IP from the set DHCP range.
  3. Block: This will block the DHCP to assign any IP for that MAC

 

One option is available:  'Unknown MAC Address', this option is used in case the MAC address is unknown and for setting an action for all those 'Unknown MAC Address'.

  • Action for 'Unknown MAC Address' as 'Assign IP' or 'Block IP' can be set.
    (recommendation will be to set the action as block IP).

 

Type :
Regular = Use this for regular LAN users
IPsec = Use for the IPsec client to site users

 

On FortiOS v7.2.x  option 'MAC Reservation' looks like as per the snippet below:


Capture123.PNG

 

Create an IP address assignment rule to block, reserve, or assign IP using the MAC address

 

Capture-1.PNG

 

This will block the MAC address to receive IP from the DHCP Pool:

 

Capture-2.PNG