Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robinh007
New Contributor III

Created on ‎04-29-2025 04:22 AM

MAC based policy not working with L3 switch

Hi,

 

We have two firewalls located in different locations: Firewall A and Firewall B. Both setups include an L3 device positioned between the LAN and the firewall.

 

In Firewall A, the relevant subnet appears as directly connected, whereas in Firewall B, the subnet is marked as statically connected. This indicates that in the Firewall B setup, the switch acts as the gateway, causing the firewall to receive the MAC address of the L3 device instead of the end-user device.

 

However, in the Firewall A network, even with the L3 setup, the firewall acts as the gateway for the subnet, enabling it to detect actual client MAC addresses and enforce MAC-based policies.

 

Consequently, MAC-based policies do not function in the Firewall B setup because the L3 device serves as the gateway. In contrast, these policies work in the Firewall A setup, where the firewall directly receives the MAC addresses of the client devices.

 

 

FortiGate 

RH007
RH007
Labels:
479
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to robinh007

Created on ‎04-30-2025 02:41 AM

I guess in this case it will be easier to mimic the working configuration of site A. I think it should have the switch uplink configured as trunk (multiple tagged VLANs) and in the FGT side it has sub interfaces with the same VLAN ID, like:

sunbinter.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

425
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎04-29-2025 05:12 AM

I assume that in the network behind FGT A, even though the hosts are connected to an L3 switch, the switch might be configured to extend the VLAN of the relevant hosts directly to the FGT, which acts as the gateway. On the other hand, FGT B appears to be routing these subnets, which would explain the behavior you're observing.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
469
robinh007
New Contributor III

Created on ‎04-30-2025 12:32 AM

@ebilcari  Thank you for the explanation. What steps can be taken in FGT B to address and resolve the issue effectively?

RH007
RH007
433
0 Kudos
ebilcari
Staff
Staff
In response to robinh007

Created on ‎04-30-2025 02:41 AM

I guess in this case it will be easier to mimic the working configuration of site A. I think it should have the switch uplink configured as trunk (multiple tagged VLANs) and in the FGT side it has sub interfaces with the same VLAN ID, like:

sunbinter.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
426
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.