Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New_Member
New Contributor

How to block internet access by Mac address!

Hi all,

I am using fortigate 300C V5.0 .

I want to block internet some Pcs by Mac address,so when i created an policy device identity with Authentication Rules action=Deny,All pcs couldn't access internet.

Kindly help to fix this issues!

Many thanks

 

8 REPLIES 8
MrN3ff
New Contributor

With v5.2 we've done this a few ways... Only one is leveraging MAC addresses though...

 

Option 1 - (if machine is permanently blocked from internet)

  > Open DHCP monitor > right-click DHCP lease > create/edit IP Reservation > set action "Block"

 

Option 2 - (if you want all users to authenticate - I use this option since we have many users using the same computer so I can't block a certain machines MAC.  Put policies above this policy for internal traffic "ie: intranet sites, services, etc..")

  > Create policy: Internal > Src=DHCP scope/all computers > User Group or User > Internet > All > ALWAYS > All

 

I believe on v5.0 you can find the same settings stated in Option 1 under "System>Network>Interfaces" and look for your internal network handing out DHCP leases (if done locally with Fortigate).  Click the "Advanced.." hyperlink and add MAC addresses with appropriate action. Hope some of this helps.

Bromont_FTNT

Enable "Device Management --> Detect and Identify Devices" on your LAN interface

 

Under User&Device --> Device --> Device definitions create a group of blocked MAC IDs

 

In your firewall policy block the device group you need blocked (scales) but allow ALL

 

 

 

New_Member

Thanks for your help!

I already configured fortigate follow your advice but still deny all user access internet.

Bromont_FTNT

According to your screenshot above you DENY for both scales and ALL

New_Member

I understood!but the second line in the Authentication Rules is default of Fortigate,i could not Edit this rule.

Could you advice me!

ede_pfau
Esteemed Contributor III

Try to add an "ALL-ALL-ACCEPT" rule, and see what happens.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
nicovon

I need to prevent internet access by mac filtering but not wireless internet connection. I need to block wired internet connection. How I have to perform the rule? I have fortiguard 90d..
ede_pfau
Esteemed Contributor III

You have hijacked a thread that is already over one year old. Please start a thread on your own.

Second, supply sufficient information so that one can help - version of FortiOS, at least.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors