Created on
11-05-2019
01:47 AM
Edited on
01-14-2025
01:32 AM
By
Jean-Philippe_P
Description
This article describes that in a DHCP environment if the user wants to allow/block (control) a few users, this is possible via MAC Reservation + Access Control.
Scope
FortiGate.
Solution
A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server.
A MAC Address ACL functions is either a list of blocked devices or a list of allowed devices. This is determined by the 'Unknown MAC Address' entry.
Steps to create via MAC Reservation + Access Control.
Go to Network -> Interface -> edit the Interface -> DHCP server -> Advanced.
Available actions:
One option is available: 'Unknown MAC Address', this option is used in case the MAC address is unknown and for setting an action for all those 'Unknown MAC Address'.
Type :
Regular = Use this for regular LAN users.
IPsec = Use for the IPsec client to site users.
On v7.2.x option 'MAC Reservation' looks like as per the snippet below:
Create an IP address assignment rule to block, reserve, or assign IP using the MAC address.
This will block the MAC address to receive IP from the DHCP Pool:
To configure via CLI:
config system dhcp server
edit 2 <----- ID number assigned.
config reserved-address
edit 0 <----- New entry.
set ip 10.5.16.1 <----- IP address.
set mac aa:bb:cc:dd:ee:ff <----- Mac address.
set action ** (assign, block, reserved)
next
end
next
end
Related articles:
Technical Tip: Blocking a MAC address in FortiGate using a Firewall Policy
Technical Note : Configuring MAC address filtering on a FortiGate - IP/MAC binding
Technical Tip : How to Block Unknown MAC Addresses without assigning IP addresses in DHCP
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.