Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff

Created on ‎08-12-2019 06:05 AM Edited on ‎01-02-2025 12:25 AM By Community Manager

Article Id 194591

Technical Tip: How to create the MAC address based policies in FortiGate IPv4 policy

Description


This article describes how to create the MAC address based policies in IPv4 policy.

 

Scope

 

FortiGate.

Solution

 

Configuration GUI

 

Note:

These MAC address-type objects can only be used as Source Addresses for firewall policies when the FortiGate is in NAT mode. The MAC address is a link-layer address and it cannot be forwarded to different IP networks. On the other hand, the MAC address type objects can be applied as the source address and destination address for policies in Transparent mode or Virtual Wire Pair interface.

 

  1. Screenshot illustrating the creation of the MAC address in the addresses:

 

Go to Firewall -> Policy & Objects -> Addresses -> Created new -> Address -> Select Type as MAC address

Specify the name and MAC address of the respective users.

 

  1. Screenshot illustrating the creation of the firewall policy with the MAC address as source address (Device based policy has been removed from V6.2.0) in order to use the MAC address directly on the IPv4 policy:
 
 
Go to Policy & Objects -> IPv4 policy -> Create new -> specify the source address as the MAC address created in the Addresses
 
To create the address on the CLI:
 
config firewall address
    edit "MAC_based"
        set type mac
        set start-mac 00:69:72:01:2b:01
        set end-mac 00:69:72:01:2b:01
    next
end
 
To create the IPv4 policy in CLI:
 
config firewall policy
    edit <policy ID>
        set name "MAC_Address_policy"
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "MAC_based"     <----- Specify the MAC address created in Addresses
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end
 
Verification of Configuration and troubleshooting: 
In order to check if the policy is in effect, initiate the traffic from the client machine and check it on the firewall and on the FortiView.

FortiView -> Sources -> Filter with the source IP -> Policies

The policy ID will identify whether the respective PC is taking the right policy.
 
Log & Report -> Forward traffic -> Filter the source IP -> Check the current traffic of the client machine
 
Screenshot of the forwarded traffic from the client machine:

 
Related article:
Troubleshooting Tip: MAC address based policies is not working 
Labels:
20790
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.