Troubleshooting Tip: MAC address based policies is not working

In FortiGate, there is an option to configure MAC address-based policies: MAC address-based policies

These MAC address-type objects can only be used as Source Addresses for firewall policies. Also, these are not accepted in other places like if it is desired to create a static route or policy route, etc.

An Alternative way to implement this is to create a static IP reservation for these MAC addresses in FortiGate's DHCP server. Then it is possible to use the IP address in the policies and routes.

To configure this, first go to Network -> Interface and select on the interface where the device is connected and select ‘Edit’:

Then under DHCP server, select Advanced and then go to IP Address Assignment Rules:

Select 'Create New'. Here enter the MAC address that is necessary to make policy for and an IP address desired to be assigned to it:

Make sure the IP is not part of the DHCP range.

After that Select OK.

CLI

config system dhcp server
    edit 2
        config reserved-address
            edit 0
                set ip 192.168.14.200
                set mac 00:45:6e:64:2b:01
             next
        end
    next
end

Now create an address object for this IP. For this go to Policy & Objects -> Addresses and select Create New-> Address:

Enter the IP mentioned in the previous step and select OK.

CLI

config firewall address
    edit "192.168.14.200"
        set subnet 192.168.14.200 255.255.255.255
    next
end

Now it is possible to create policies, routes, etc for this address object. This will act as a proxy for the MAC address desired to be applied to any policies, routes, etc. Here there is not any limitation that was found in the MAC address-based policies.