Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbandha
Staff
Staff

Created on ‎09-01-2024 06:09 AM Edited on ‎10-31-2025 06:51 AM By Moderator

Article Id 338128

Troubleshooting Tip: MAC address based policies is not working

Description This article describes how to troubleshoot MAC address-based policies.
Scope FortiGate v6.4+.
Solution

In FortiGate, there is an option to configure MAC address-based policies: MAC address-based policies


These MAC address-type objects can only be used as Source Addresses for firewall policies when the FortiGate is in NAT mode. Also, these are not accepted in other places like if it is desired creating a static route or policy route, etc. 

 

The MAC address is a link-layer address, and it cannot be forwarded to different IP networks.

 

The MAC address type objects can be applied as source address and destination address for policies in Transparent mode or Virtual Wire Pair interface.


An Alternative way to implement this is to create a static IP reservation for these MAC addresses in FortiGate's DHCP server. Then it is possible to use the IP address in the policies and routes.

 

To configure this, first go to Network -> Interface and select the interface where the device is connected and select ‘Edit’:

 

1.JPG

 

Then, under the DHCP server, select Advanced and then go to IP Address Assignment Rules:

 

2.JPG

 

Select 'Create New'. Here, enter the MAC address that is necessary to make a policy for and the IP address desired to be assigned to it:

 

3.JPG

 

Make sure the IP is not part of the DHCP range.

After that, Select OK.

 

CLI:

 

config system dhcp server
    edit 2
        config reserved-address
            edit 0
                set ip 192.168.14.200
                set mac 00:45:6e:64:2b:01
            next
        end
    next
end

 

Now create an address object for this IP. For this, go to Policy & Objects -> Addresses and select Create New-> Address:

 

4.JPG

 

Enter the IP mentioned in the previous step and select OK.

 

CLI:

 

config firewall address
    edit "192.168.14.200"
        set subnet 192.168.14.200 255.255.255.255
    next
end

Now it is possible to create policies, routes, etc for this address object. This will act as a proxy for the MAC address desired to be applied to any policies, routes, etc. Here, there is no limitation that was found in the MAC address-based policies.

 

Quick Tip:
When using MAC address-based policies in FortiGate, always place them above IP-based rules in the policy list.
Since FortiGate processes policies from top to bottom, prioritizing MAC-based policies ensures that specific device-level rules take effect before broader IP-based ones.

 

Related articles:

Technical Tip: How to create the MAC address based policies in FortiGate IPv4 policy  
Technical Tip: How to define a policy route based on MAC address 

Technical Tip: Blocking a MAC address in FortiGate using a Firewall Policy 

 

1462
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.