Hi, I have two policies configured: 1. Subtype Device authentication by MAC (two PCs - > two MAC addresses) to all Allow 2. Subtype Address: source LAN (192.168.1.0/24) (Allow) to all Allow Problem is ony devices authenticated by MAC (two PCs) can access Internet, Policy 2 allowing LAN (192.168.1.0/24) access to Internet counters are 0. If I move Policy 2 above Policy 1 then all traffic goes through Policy 2. What is needed: two PCs (authenticated by MAC addresses) go through Policy 1 (specific UTM features and QoS applied) and all other devices go through Policy 2.
TIA
Hi
Please upgrade the firmware to 5.2.
Regards
Bikash
Please note that if the device is not known with certain level of the confidence then device based policies do not work as expected.
Therefore, if you need assured application of the rules to those two devices, always. Then I would suggest to make those two to have static IP, or use DHCP per MAC IP reservation, so if device asks it will always get the same IP. And then make explicit source IP based policies for those two. Yes, it is old-school way but quite stable and proven to work.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
I have to disagree with mac based identification or ipmacbinding, this can easily be spoof'd and hijacked. By using user network access and identity based fwpolices and would be so much better , wiser & stronger.
Trusting mac binding is like saying;
" We will only open the outside door to the bank when the person knocks 4 times & has a blue shirt on " .
The robbers across the street only has to watch and repeat and then have access to the same bank. This is why they have cameras and host of other identification enforcement .
just my thought, but be very careful on the ipmacbinding approach.
PCNSE
NSE
StrongSwan
Not sure we are talking about wireless devices here.... In any case this should be achievable without any issue using device identification.
I do agree, but my point was that MAC-IP bond made by DHCP is better than device based policy dependent on device traffic fingerprinting (as there is no active device fingerprinting agreed to be implemented, yet).
Of course we can increase the "bank" security to certificate based 802.1x device access identification mixed with user identity policy and anything up to two-factor authentication. Which is then Nx harder to spoof and fake.
But this does not seemed to me as the point/question.
If you simply and temporarily would like to devide few devices and silently apply different profiles on them, and you do not have 802.1x or so implemented, then mac based division seems to me as easy way to achieve the goal without any unnecessary complexity.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.