Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JJones_VillageMD
New Contributor II

Created on ‎10-05-2022 11:25 AM

MAC Address usage for Dynamic Firewall Address

Hello, In our Policy Package I am trying to create Per-Device mapping for Device MAC address labels as Dynamic Firewall Addresses.

We have templated locations where we keep standard Printer names "FrontDesk, MFP, Label1, Etc. Names will stay the same but the MAC address is different obviously.

 

The problem is that using the MAC Address, we cant see how to reference them in the Policy Package so they never get copied onto the FortiGate when syncing.

 

I attempting to make a group "Printers" and assigning the dynamic objects then applied to a Firewall Policy "placeholder" but the group wont work since they don't contain any IP addresses.

Any direction here.

Justin J - NSE4
Justin J - NSE4
Labels:
883
0 Kudos
4 REPLIES 4
gfleming
Staff
Staff

Created on ‎10-05-2022 11:39 AM

Can you show the configuration of one of your printer objects? Perhaps FrontDesk as an example. Please show config of this object and the per-device mapping. 

 

And please clearly explain the error. The group won't work in FMG or it won't work when pushing it to FGT?

Cheers,
Graham
878
0 Kudos
JJones_VillageMD
New Contributor II
In response to gfleming

Created on ‎10-05-2022 01:08 PM Edited on ‎10-05-2022 01:08 PM

Thanks for the quick reply. The objects and group "Printers" work FMG, but wont push to the FGT.

 

Here is the background of the issue in more detail.
When our sites get deployed, we have DHCP reservations created for the Printers and the MAC address labels are created under address objects manually on the device.  If we sync to a Policy Package, it will delete these saved labels since they don't exist in FortiManager. With that said we are trying to map using the Dynamic Firewall Addresses in FortiManager. What we are experiencing is since the Device MAC Addresses are not referenced anywhere in the Firewall Policy they are not getting applied to the device.

 

We are trying to get to only 1 standardized Policy Package and do not want to import Policy Package per device.

 

Here is the Printer Object "FrontDesk"

For MAC Address field the are using a "place holder" since we are only targeting Per Device Mapping

Screenshot 2022-10-05 145615.png

Justin J - NSE4
Justin J - NSE4
871
0 Kudos
gfleming
Staff
Staff
In response to JJones_VillageMD

Created on ‎10-05-2022 01:35 PM

OK yea I don't think FMG supports using dynamic address objects in the DHCP Server reservation settings.

 

This is a limitation of FMG that I don't think will let you do what you want.

 

If you reference the MAC address object in a FW policy, it will get installed on the FGT.

 

However, there's no way to reference the MAC address object in the DHCP config (either in system templates or interface config).

Cheers,
Graham
864
0 Kudos
JJones_VillageMD
New Contributor II

Created on ‎10-05-2022 02:38 PM Edited on ‎10-05-2022 02:40 PM

Did some trial and error here... Creating a "dummy" firewall policy with a group with the printer dynamic mac addresses seems to be working. We can use this in the future to add additional LAN objects that need referencing.

 

JJones_VillageMD_0-1665005909047.png

 

Justin J - NSE4
Justin J - NSE4
856
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.