Fortigate 80 block MAC address

hi guys,

How do I block MAC address in Fortigate?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What model do you have, and what software version is it running?
IT_Group1Author Commented:

Fortigate 80c - Firmware version: v4.0,build0320,110419 (MR2 Patch 6)

block MAC ADDRESS for spoofing or bind MAC ADDRESS


 you will find mac option.
and from cli mode:-

config system dhcp ipmacbinding
config system dhcp reserved-address
edit <name_str>
     set ip <address_ipv4>
     set mac <address_hex>
     set type {regular | ipsec}

please revert for further clarification
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

IT_Group1Author Commented:
diprajbasu Thx.

Does it matter that the Fortigate isn't the DHCP server in this organization?
request you to let me know one thing...what is your exact objective? or what else you want to do?
BLOCKING MAC ADDRESS for what purpose?
Are you just trying to block access to a specific device from accessing the internet throught the Fortigate?
IT_Group1Author Commented:
Exactly right.
I was managed to perform it by blocking his IP, but since it's a from a DHCP pool, i prefer to REALLY block the guy by using MAC.

I think youu require ntlm or ldap authentication...if the dhcp pool is realeassing from some separate server.
do ntlm or ldap authentication fortigater from yyour server.....
I think creating dhcp pool in Fortigate will not be possible in your network.
so better to go for ntlm or ldap authentication, so Fortigate will synchronize with server.....
IT_Group1Author Commented:

And if the FG will sync with the server via LDAP, how it'll help us in blocking this naughty MAC?

If your server is passing out DHCP, just tie a specific IP to that MAC address in the DHCP server and as long as the user doesn't have admin rights you are good to go.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT_Group1Author Commented:
Thx bro.
Just to be sure we're on the same page here:
1. I create an LDAP connection between the FG and the DC
2. I use the syntax you've sent me, and block the MAC
3. As long as the user will keep the same MAC, even with different IP address from the DC DHCP, the FG will be able to block the little wanker..!

Please approve, and i'll commit those changed.

Many thx

The MAC Binding  at System-> DHCP server is only reserving the IP from the DHCP lease. In this case, any system can access internet if he configures allowed IP's statically.
Is there a way to allow only trusted MAC, like the MAC filtering option we get in any lower end Wireless router's.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.