Technical Tip: How to create MAC Addressed-Based Policies

vinodhk · ‎08-09-2019

Description
This article explains how to create MAC address based IPv4 policy.

Solution
From 6.2 version, We have new address type “Device(MAC address)” which can be used in below policies:

- IPv4 Firewall Policy.
- IPv4 Virtual Wire Pair Policy.
- IPv4 ACL Policy.
- IPv4 Central SNAT Policy.
- IPv4 DoS Policy.

To configure a MAC address based IPv4 policy using GUI

1) Go to Policy & Objects -> Addresses to create or edit an address.

Category: Select Address
Type: Select MAC Address
MAC address Scope: Select Single Address or Range

Enter the MAC address and Click 'OK'

2) Go to Policy & Objects +> IPv4 Policy to apply the address type to a policy in NAT mode VDOM.

Create a new policy
Source: Select this MAC address object

Enter the other fields and click 'OK'

To configure a MAC address based IPv4 policy using CLI:

1) Create a new MAC

#config firewall address
edit <name>
set type mac
set start-mac <mac_address_start#>
set end-mac < mac_address_end#>
next
end

2) Apply the address type to a policy

Example:

#config firewall policy
edit 1
set name "mac-addr-policy"
set srcintf "port2"
set dstintf "port1"
set srcaddr "Test-MAC-addr"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
end

Important Note:
For policies in NAT mode VDOM, this new MAC address type as source address is the only supported.
For policies in Transparent mode or Virtual Wire Pair interface, use this address type as source or destination