Technical Tip: How to create the MAC address based policies in FortiGate IPv4 policy

sselvam · ‎08-12-2019

Description
This article describes how to create the MAC address based policies in IPv4 policy.

Solution
# Configuration GUI

1) Screenshot illustrating the creation of the MAC address in the addresses:

Go to Firewall -> Policy & Objects -> Addresses -> Created new -> Address -> Select Type as MAC address

Specify the name and MAC address of the respective users.

2) Screenshot illustrating the creation of the firewall policy with the MAC address as source address (Device based policy has been removed from V6.2.0) in order to use the MAC address directly on the IPv4 policy:

Go to Policy & Objects -> IPv4 policy -> Create new -> specify the source address as the MAC address created in the Addresses

To create the address on the CLI:

# config firewall address
    edit "MAC_based"
        set type mac
        set start-mac 00:69:72:01:2b:01
        set end-mac 00:69:72:01:2b:01
    next
end

To create the IPv4 policy in CLI:

# config firewall policy
    edit <policy ID>
        set name "MAC_Address_policy"
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "MAC_based"     <----- Specify the MAC address created in Addresses
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

# Verification of Configuration and troubleshooting

In order to check if the policy is in effect, initiate the traffic from the client machine and check it on the firewall and on the FortiView.

1) FortiView -> Sources -> Filter with the source IP -> Policies

The policy ID will identify whether the respective PC is taking the right policy.

2) Log & Report -> Forward traffic -> Filter the source IP -> Check the current traffic of the client machine

Screenshot of the forwarded traffic from the client machine: