Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mistral
New Contributor

Created on ‎06-16-2023 04:40 AM

if Unknown MAC Block access to Fortigate 60e

Hi,

 

I am trying to block access for unknown MAC Addresses to the network.

Currently DHCP, Internet and the LAN only work for known MAC Addresses, but unknown MAC's with a static ip can still join the network and talk to the Fortigate, is it possible to deny access to Web UI and maybe even the entire fortigate for unknown MAC's?

(running version 7.0.12)

 

Thanks in advance for all the help!

Mistral

Labels:
1883
0 Kudos
4 REPLIES 4
Shilpa1
Staff
Staff

Created on ‎06-16-2023 05:38 AM

Hello Mistral,

Do you already have the below MAC address based policies configured? 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-the-MAC-address-based-polici...

Regards,
Shilpa 


 

1866
0 Kudos
Mistral
New Contributor
In response to Shilpa1

Created on ‎06-16-2023 06:11 AM

Hi Shilpa1,

 

Yes I already have this configured, all unknown MAC's have no access to the internet/other LAN devices. It can only connect to the Fortigate 60e itself, my question is if it is possible to also get rid of the access to the Firewall (fortigate 60e).

 

Kind Regards,

Mistral

1859
0 Kudos
pavankr5
Staff
Staff

Created on ‎06-16-2023 07:02 AM

Hello @Mistral ,

 

Create a policy that specifically targets the Fortigate's MAC address or IP address and denying access for unknown MAC addresses, you can  block access to the Fortigate's web UI and other services for unauthorized devices.

In the "Source Address" field in policy, select "MAC" and add the MAC addresses of the known devices that should have access to the Fortigate. You can add multiple MAC addresses by clicking on the "+" icon.

Configure the desired action for the policy. To deny access, select "Deny"

 

It's important to regularly update the list of known MAC addresses to ensure that only authorized devices have access to the Fortigate. Additionally, consider enabling additional security measures such as strong passwords, two-factor authentication, and regular firmware updates to further enhance the security of your Fortigate device.

 

Please update us if this helps

 

Thanks,

Pavan

1841
0 Kudos
Mistral
New Contributor
In response to pavankr5

Created on ‎06-19-2023 01:36 AM

Hi Pavankr5,

 

I tried denying the ip address of the Fortigate but the unknown MAC pc can still ping/access the GUI of the Fortigate 60E. Is the Fortigate maybe designed so you can't block access to it, incase of an accidental lockout?

 

Below the configuration to lockout anyone but the MAC address Group. 

 

Fortigate2.PNGFortigate1.PNG

Fortigate3.PNG

Normally Implicit Deny would block anything even without the new firewall rule, so probably it won't block to itself.

 

Kind Regards,

Mistral

1805
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.