I am trying to block access for unknown MAC Addresses to the network.
Currently DHCP, Internet and the LAN only work for known MAC Addresses, but unknown MAC's with a static ip can still join the network and talk to the Fortigate, is it possible to deny access to Web UI and maybe even the entire fortigate for unknown MAC's?
Yes I already have this configured, all unknown MAC's have no access to the internet/other LAN devices. It can only connect to the Fortigate 60e itself, my question is if it is possible to also get rid of the access to the Firewall (fortigate 60e).
Create a policy that specifically targets the Fortigate's MAC address or IP address and denying access for unknown MAC addresses, you can block access to the Fortigate's web UI and other services for unauthorized devices.
In the "Source Address" field in policy, select "MAC" and add the MAC addresses of the known devices that should have access to the Fortigate. You can add multiple MAC addresses by clicking on the "+" icon.
Configure the desired action for the policy. To deny access, select "Deny"
It's important to regularly update the list of known MAC addresses to ensure that only authorized devices have access to the Fortigate. Additionally, consider enabling additional security measures such as strong passwords, two-factor authentication, and regular firmware updates to further enhance the security of your Fortigate device.
I tried denying the ip address of the Fortigate but the unknown MAC pc can still ping/access the GUI of the Fortigate 60E. Is the Fortigate maybe designed so you can't block access to it, incase of an accidental lockout?
Below the configuration to lockout anyone but the MAC address Group.
Normally Implicit Deny would block anything even without the new firewall rule, so probably it won't block to itself.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.