FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 286940
Description This article describes the expected behavior when MAC Address objects are used on SD-WAN rules.
Scope FortiOS 7.2.x.

Occasionally, there is a need to utilize MAC Address objects as sources or destinations in SD-WAN Rules. These objects can encompass multiple MAC Addresses, especially when devices possess multiple NICs.

Nevertheless, when a MAC Address Object is set up with multiple MACs and used in an SD-WAN rule, it might not function correctly. This occurs because the fundamental concept of an SD-WAN rule is to map a specific device to a particular MAC Address and subsequently to a rule, not addresses in plurality.

The observed behavior when employing MAC Address Objects within a rule containing multiple MAC Addresses could include the following:

  1. Inconsistency in SD-WAN Rule application, where some users might be affected by the rule, while others are not.
  2. When executing the 'Diag sys sdwan service <Rule ID>' output command, fewer MAC addresses than the actual ones configured within the rules may be visible under source MAC or destination MAC fields.


For example:


Screenshot 2023-11-30 113533.png


Note that there exists a MAC Object labeled 'AUDI15_Wifi', encompassing 2 MAC Addresses. Additionally, this object is part of a group named 'MAC_ADDR_GROUP_1'. The inclusion of this object has been made within the SD-WAN Rule '1', titled TEST.

Screenshot 2023-11-30 113439.png


Upon inspecting the Rule Status via the CLI, only one MAC address is displayed, despite the object containing 2 MAC addresses.

Consequently, if a device attempts network access using an NIC associated with the second MAC Address within the MAC Address Object, it will not trigger the rule.

It is strongly advised to utilize Address Objects containing a single MAC Address. If there is a requirement for two MAC addresses associated with the same device, it is recommended to create two separate MAC Objects for each respective MAC Address.