I think he means vendor class identifier (vci) , still he would need to explain why he wants to block at mac_address that can be easily spoof' d If you need layer2 security, port-filters or better yet 802.1x is the best deployment that one can do. End Point security would also be in the top 10 list also.

Hi again, The " match VCI" I found was in the the fortigate firewall 110C, it was located in system ( I think) -> DHCP server -> voip-> and by scrolling down I saw it. ( I don' t recall if it came because I press something and it appeared) And also what I want to do in the firewall is a block other devices like blackberries etc so they can' t connect to my outdoor wireless units. So I wanted to know if I used Mac filtering, that it would be the right choice. Krs, Vernon76

So the question is: would the DHCP server on the 110C not lease out IP addresses to devices which have a different VCI than specified? But that alone would only block ' rogue' APs. IMHO if you want to keep devices from connecting to an AP, and that AP is not managed by the FGT, then you' d have to use MAC filtering on the AP itself. But as MACs are easy to spoof I' d recommend 802.1x instead (user authentication via RADIUS/LDAP). That would need client software on the devices, though.

Hi, thank for answering my question. But I wanted to know a few things, where can I activate the mac filtering in the fortigate 50b, because I don' t see it in the manual how to do it. And I have a list of almost 270 mac adresses, how can I load this up in one shot if possible in mac filtering. Besides the mac filtering and 802.1x is there another way to tell my fortigate to keep rogue mac adress from my AP' s? Thank you in advance

You can do MAC filtering by using the CLI command " ipmacbinding" . See the CLI Guide for details. The reasoning is: - you enter pairs of IP address and MAC address into the FGT (via CLI) - you configure that IP/MAC pairs should be checked when passing the FGT (not: when accessing the FGT) - if a packet arrives at the FGT, these checks are made: - if the MAC address is unknown, traffic is blocked - if the MAC is known, and the IP matches, traffic passes - if the MAC is known, and the IP does not match, traffic is blocked So far in theory. Keep in mind that a stateful firewall usually cannot check MAC addresses, it will deal with layer 3 traffic upwards much more efficiently. For every local list there is space allocated in FortiOS. So there is a set limit for the MAC/IP list as well. I doubt that it is as high as 270. The limit depends on the model and the FortiOS version and is documented in the ' Maximum Values Matrix' , available on docs.fortinet.com . And given that your FGT is one of the older and smaller models it' s even more doubtful that you can realize your plan. Good luck, though.

Thank you for the info ede, But I have one more question about mac filtering. Can mac filtering help improve wifi phones connection to wireless network, even if then wifi phones that state of the art. Because if you have many rogue device like black berry etc, can they can influence how the wifi phones performs on the wreless network. A theory that I heard is that if you use mac filtering, it will improve the performence of the not so state of the art wifi phone and let them connect to the network.

I' ve got no idea on this, sorry.