Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BaCam
New Contributor

Fortigate cannot find user mac address?

"Hello everyone,

Currently, my company is using a Cisco 5525x FMC firewall system. In the near future, I am considering migrating to a Fortigate firewall system. However, I’ve encountered an issue that I haven't been able to resolve: when standing on the Fortigate firewall, I can't see the MAC address, domain users, or the OS of the devices. I know that using the firewall as the gateway could resolve this issue, and since the company’s system is relatively small, I have configured it this way—allowing the firewall to manage and detect all devices it scans. But that setup only works for smaller systems.

For larger systems, I’m not sure if the firewall would be more powerful than the core switch. Therefore, I’ve set the core switch to handle IP address assignment, with the gateway being provided by the core. As a result, my internal users don't pass through the firewall when accessing the server for work, making the process faster. However, when users browse the internet or when I want to block devices by MAC address, this doesn’t seem to work.

Does anyone have a solution for this issue?"**

My system consists of a core switch that creates VLANs, assigns DHCP, and provides static routes to the firewall. The firewall then routes the VLANs for communication and performs NAT so they can connect to the internet and VPN to other sites via Peplink. The problem is that the firewall cannot identify users, MAC addresses, or OS if the core switch handles routing

TEST.png

1 REPLY 1
ebilcari
Staff
Staff

If the gateway of the hosts resides on the L3 switch, the hosts MAC information is discarded when the packet its routed from the switch to the FGT. This is a limitation of the network design and you can't change it from the FGT perspective.

In this setup you can try to explore and implement FSSO that is able to tie domain users (groups) to theirs IPs that can be later used in firewall policies.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors