Solved

Fortigate 80 block MAC address

Posted on 2012-04-01
12
5,630 Views
Last Modified: 2013-04-24
hi guys,

How do I block MAC address in Fortigate?

Thx
0
Comment
Question by:IT_Group1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 37794118
What model do you have, and what software version is it running?
0
 

Author Comment

by:IT_Group1
ID: 37794836
Hi,

Fortigate 80c - Firmware version: v4.0,build0320,110419 (MR2 Patch 6)

Thx
0
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 37795413
block MAC ADDRESS for spoofing or bind MAC ADDRESS

GO TO SYSTEM----DHCP SERVER----ADDRESS LEASES

 you will find mac option.
and from cli mode:-

config system dhcp ipmacbinding
config system dhcp reserved-address
edit <name_str>
     set ip <address_ipv4>
     set mac <address_hex>
     set type {regular | ipsec}
   end

please revert for further clarification
0
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

 

Author Comment

by:IT_Group1
ID: 37795936
diprajbasu Thx.

Does it matter that the Fortigate isn't the DHCP server in this organization?
0
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 37796113
request you to let me know one thing...what is your exact objective? or what else you want to do?
BLOCKING MAC ADDRESS for what purpose?
0
 
LVL 4

Expert Comment

by:iworks-uworks
ID: 37796204
Are you just trying to block access to a specific device from accessing the internet throught the Fortigate?
0
 

Author Comment

by:IT_Group1
ID: 37796426
Exactly right.
I was managed to perform it by blocking his IP, but since it's a from a DHCP pool, i prefer to REALLY block the guy by using MAC.

Thx
0
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 37796685
I think youu require ntlm or ldap authentication...if the dhcp pool is realeassing from some separate server.
do ntlm or ldap authentication fortigater from yyour server.....
I think creating dhcp pool in Fortigate will not be possible in your network.
so better to go for ntlm or ldap authentication, so Fortigate will synchronize with server.....
0
 

Author Comment

by:IT_Group1
ID: 37799605
Hi,

And if the FG will sync with the server via LDAP, how it'll help us in blocking this naughty MAC?

Thx
0
 
LVL 4

Accepted Solution

by:
iworks-uworks earned 500 total points
ID: 37800883
If your server is passing out DHCP, just tie a specific IP to that MAC address in the DHCP server and as long as the user doesn't have admin rights you are good to go.
0
 

Author Comment

by:IT_Group1
ID: 37805387
Thx bro.
Just to be sure we're on the same page here:
1. I create an LDAP connection between the FG and the DC
2. I use the syntax you've sent me, and block the MAC
3. As long as the user will keep the same MAC, even with different IP address from the DC DHCP, the FG will be able to block the little wanker..!

Please approve, and i'll commit those changed.

Many thx
0
 
LVL 1

Expert Comment

by:stadmin
ID: 39107865
Hi,


The MAC Binding  at System-> DHCP server is only reserving the IP from the DHCP lease. In this case, any system can access internet if he configures allowed IP's statically.
Is there a way to allow only trusted MAC, like the MAC filtering option we get in any lower end Wireless router's.

Thanks
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question