Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Policy Based on IP Address

we have some Query - 60F and already its configured, but now we are planning to make some changes for some reasons, so we have some doubts which before implementing need to be clear..

Currently system connected with wired & wireless,


so we want to make different policy based on IP address,  as we plan to make DHCP IP range which have different policy…

and another IP range will assign by Mac address, so is it there any option to make like this IP range will go to this MAC address via DHCP.


Hi kapilkala,

If I understood your requirement correctly, you would like to configure DHCP IP ranges based on clients MAC addresses.

You can do so in DHCP server configuration > MAC Reservation. You can find further info in the TechTips below: 



not neccessarily. But he needs some way to have his dhcp only hand out an ip to specified devices which can be achieved by configuring the dhcp server to block unknown requests and then set up mac addresses to assing an ip. But it doesn't need to be reserved for that. 


And if one then creates an address object for that ip-range it can also be used in policies that affect just this range. One just mast make sure that these policies come before any other ones that would match the traffic.


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

where I understood you sent IP-MAC binding, but my requirements is like

I want to do configuration like example -

DHCP server - from this IP will create policy and give limit access for users which have wired & wireless also ...

DHCP server -  for management wired or wireless want to make different policy and set them mac binding ...


this is my requirement or any other way to do this configuration.. 


Yes you can do that. However a bad user can easily give himself a static IP in the wrong network so he can have access to the privileged resources.

So I think is more secure if you separate the users physically by VLANs or SSIDs.


hence you cannot have more than one dhcp server per interface this will require you to indeed do ip reservations to have clients get ips of the corresponding range.

Then create two address objects for the ranges and use them for makeing the needed policies.


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Top Kudoed Authors