Solved

Fortigate 80 block MAC address

Posted on 2012-04-01
12
5,557 Views
Last Modified: 2013-04-24
hi guys,

How do I block MAC address in Fortigate?

Thx
0
Comment
Question by:IT_Group1
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 37794118
What model do you have, and what software version is it running?
0
 

Author Comment

by:IT_Group1
ID: 37794836
Hi,

Fortigate 80c - Firmware version: v4.0,build0320,110419 (MR2 Patch 6)

Thx
0
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 37795413
block MAC ADDRESS for spoofing or bind MAC ADDRESS

GO TO SYSTEM----DHCP SERVER----ADDRESS LEASES

 you will find mac option.
and from cli mode:-

config system dhcp ipmacbinding
config system dhcp reserved-address
edit <name_str>
     set ip <address_ipv4>
     set mac <address_hex>
     set type {regular | ipsec}
   end

please revert for further clarification
0
Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

 

Author Comment

by:IT_Group1
ID: 37795936
diprajbasu Thx.

Does it matter that the Fortigate isn't the DHCP server in this organization?
0
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 37796113
request you to let me know one thing...what is your exact objective? or what else you want to do?
BLOCKING MAC ADDRESS for what purpose?
0
 
LVL 4

Expert Comment

by:iworks-uworks
ID: 37796204
Are you just trying to block access to a specific device from accessing the internet throught the Fortigate?
0
 

Author Comment

by:IT_Group1
ID: 37796426
Exactly right.
I was managed to perform it by blocking his IP, but since it's a from a DHCP pool, i prefer to REALLY block the guy by using MAC.

Thx
0
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 37796685
I think youu require ntlm or ldap authentication...if the dhcp pool is realeassing from some separate server.
do ntlm or ldap authentication fortigater from yyour server.....
I think creating dhcp pool in Fortigate will not be possible in your network.
so better to go for ntlm or ldap authentication, so Fortigate will synchronize with server.....
0
 

Author Comment

by:IT_Group1
ID: 37799605
Hi,

And if the FG will sync with the server via LDAP, how it'll help us in blocking this naughty MAC?

Thx
0
 
LVL 4

Accepted Solution

by:
iworks-uworks earned 500 total points
ID: 37800883
If your server is passing out DHCP, just tie a specific IP to that MAC address in the DHCP server and as long as the user doesn't have admin rights you are good to go.
0
 

Author Comment

by:IT_Group1
ID: 37805387
Thx bro.
Just to be sure we're on the same page here:
1. I create an LDAP connection between the FG and the DC
2. I use the syntax you've sent me, and block the MAC
3. As long as the user will keep the same MAC, even with different IP address from the DC DHCP, the FG will be able to block the little wanker..!

Please approve, and i'll commit those changed.

Many thx
0
 
LVL 1

Expert Comment

by:stadmin
ID: 39107865
Hi,


The MAC Binding  at System-> DHCP server is only reserving the IP from the DHCP lease. In this case, any system can access internet if he configures allowed IP's statically.
Is there a way to allow only trusted MAC, like the MAC filtering option we get in any lower end Wireless router's.

Thanks
0

Featured Post

Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question