Solved

Block MAC address through Fortigate firewall 100 D

Posted on 2014-12-23
25
2,464 Views
Last Modified: 2015-10-27
Dear Experts,
I want to block mac address through Fortigate firewall (Firmware Version v5.0,build0252 (GA Patch 5)). I have added device definition and created new policy. Below is the snapshot of the policy. The policy is applied through the firewall when I check the log but instead of deny, it is allowing the access.
Thanks.
untitled.bmp
0
Comment
Question by:ibu1
  • 11
  • 8
  • 4
  • +1
25 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 40517067
MAC addresses can be blocked on a managed network switch.
0
 
LVL 61

Expert Comment

by:btan
ID: 40517230
FortiGate support ipmacbinding, need to enable enable IP/MAC binding for an individual FortiGate unit network interface. Note that it will only help when devices being restricted reside on the same network segment as a FortiGate interface. e.g. Syntax:
config firewall ipmacbinding setting
set bindthroughfw {enable | disable}  - this is enabling IPMAC binding to get through a Firewall.
set bindtofw {enable | disable}  - this will check an IP MAC binding combination to allow access TO the firewall
set undefinedhost {allow | block} - this defines how the Firewall will treat traffic that has not been bound
end
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 100 total points
ID: 40517362
On a side note, Patch 5 still has the SSL bug in it, you should update to something more current (patch 10 is the latest version)
1
 
LVL 12

Author Comment

by:ibu1
ID: 40517364
Hello,
I want to enable the mac blockage on firewall only. Below is the current scenario
Remote branch 10.10.24.0. Router 10.10.24.1. DHCP range 10.10.24.200-10.10.24.250. Route 0.0.0.0 0.0.0.0 10.10.1.35
HO : 10.10.1.0 , Firewall IP Address 10.10.1.35
Thanks.
0
 
LVL 61

Expert Comment

by:btan
ID: 40517536
Do see this example which helps http://itzecurity.blogspot.sg/2014/07/mac-black-list-packet-drop-if-dhcp.html
mainly the ip/mac table need to be populated (manual (a) or automatically via  FortiGate as DHCP server (b)) and enable the ipmac on the interface to enforce this check. But do note some points on the scheme (a) and (b)

(a) - When ip/mac binding is enabled on the interface, any changes to the client IP address needs to be updated in the table. This is especially for those static bindings manually entered. Also do update in event a new computer is added to the network. If these are not updated timely, the new or changed hosts may be deny access (depends on the FW setting).

(b) -  When a client's MAC address is automatically registered in the IP/MAC binding table via the above-mentioned DHCP scheme.  This simplify the binding configuration, but be wary that this update can also include untrusted hosts, if the latter are allowed to access the DHCP server.  So do ensure only trusted internal clients have access to the DHCP server

Specifically, on top of the table population and binding to interface,   below is an example to enable IP/MAC binding going to and going through the firewall, and block undefined hosts (IP/MAC address pairs).
config firewall ipmacbinding setting
set bindthroughfw enable
set bindtofw enable
set undefinedhost block
end
0
 
LVL 12

Author Comment

by:ibu1
ID: 40519356
The DHCP server which gives IP Address is on different network. I want to enable block MAC on firewall itself.
Thanks.
0
 
LVL 61

Expert Comment

by:btan
ID: 40519406
You can assign the mac on concern as stated in the link sharing the syntax for creating manual entries in the ipmacbinding table http://kb.fortinet.com/kb/viewContent.do?externalId=FD30158

config firewall ipmacbinding table
edit <index_int> - the number in the IP/MAC binding table
set ip <address_ipv4> - IP address value
set mac <address_hex>  - MAC address value
set name <name_str> - the name which may be used for this binding
set status {enable | disable} - is the binding now enabled
end
0
 
LVL 61

Expert Comment

by:gheist
ID: 40519411
Yes, you can enable according to description, but it will be very inefficient and most likely not block anything because:
1) Packets on the same subnet an arrive from any router's MAC on same subnet so you have to block those too effectively blocking all other subnts
2) Changing a MAC is easy as pie unless you use MAC ACLs on network switch
3) Since it is DHCP - why dont you make it fixed IP and block IP?
So you do not have either authority or capability or position to do such blocking - in short - ask your network administrator for assistance.
0
 
LVL 12

Author Comment

by:ibu1
ID: 40519445
Hello,
The reason behind not giving fixed IP is these subnet users are having their own mobile and they know how to change the IP address and there are lot of access point to enable the MAC filter on them.
Thanks.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40519456
As mentioned before MAC filtering on fortigate is way too late.
There are about 2 billion mobile devices capable of running bittorrent client while connected to your network. Do you have enough storage for your access list?
0
 
LVL 12

Author Comment

by:ibu1
ID: 40519521
I have created a ticket with fortigate support. Will post you the solution soon.
Thanks.
0
 
LVL 61

Accepted Solution

by:
btan earned 200 total points
ID: 40519540
also in kb it is not recommended for large network and operational fatigue in managing the  MAC ACL and changes - ideally it is to tie to user identity and location for policy enforcement
This is only recommended in small to medium networks.  Extra caution is required to implement in large networks.  As mentioned earlier, if any routing takes place before sending traffic to a FortiGate the issue of source MAC address being replaced with that of a router is a real concern.
Also see Fortigate
-(CLI) Technical Note: How to block a MAC address using a device access list
- (GUI) Technical Note: Configure MAC Filter with device identification enabled
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Expert Comment

by:gheist
ID: 40519545
Sorry but ticket will not make MAC of billions of wifi cards unchangeable.
It is not much more complex than changing IP.
Your approach is wrong from the beginning. Why dont you set up some sort of wifi access controller to properly account who does bad things?
0
 
LVL 12

Author Comment

by:ibu1
ID: 40520362
Lets see. When I opened the ticket with fortigate , they just accept what I try to achieve and they created one policy but unable to block that particular MAC. They have taken the logs to test is their lab and will get back to me.
Thanks to all the Experts for their comments.
0
 
LVL 12

Author Comment

by:ibu1
ID: 41125586
I've requested that this question be deleted for the following reason:

No perfect answer.
0
 
LVL 61

Expert Comment

by:gheist
ID: 41125587
Striving for perfection can you share the perfect fortigate answer summarized in one sentence?
0
 
LVL 12

Author Comment

by:ibu1
ID: 41125624
Even no perfect answer from Fortigate support. Called me back and forth to take remote access to router and wasted lot of time. I can accept any of your comment to give you consolation prize :).
0
 
LVL 61

Expert Comment

by:gheist
ID: 41125786
Can you summarize their answer?
0
 
LVL 12

Author Comment

by:ibu1
ID: 41125848
There is no answer from them.

IT Support
2014-12-21 01:58:00      
Attachment:  21 Dec 2014 HAC-FG-SEC_20141221_0933.conf
In order for Fortinet Technical Support to provide you with the optimum level of service, we request that the following information be provided:
1. A problem description : I want to create policy based on device identity so I can able to block mac address. When I create device policy by default under the configure authentication rules , it deny all device. Under the all device group there are some ip address added automatically which are valid PC ip address and I want internet access for them. I even cannot edit that rule to make it allow instead of deny.
2. Relevant background information (Has the configuration worked in the past? Is this a new configuration? Have any changes been made recently to the Fortinet device or application or on the network?) : This is the first time I want to create policy based on mac address.
3. A network diagram with the IP addressing clearly indicated : The IP Address on the firewall device is 10.10.1.35 with two service provider as wan1 and wan2 interface.
4. Configuration file(s): Attached is the configuration file.
5. Debug log(s)
6. A description and the results of your troubleshooting steps
      IT Support
2014-12-21 02:03:00      
Additional Email ID: ibrahimb@hassanabul.com
      IT Support
2014-12-21 23:33:00      
Dear Support Team,
Kindly update.
      Vasudhendra Joshi
2014-12-22 02:12:00      
Dear Customer,

Thank you for contacting Fortinet Technical Support. My name is Vasu and this ticket is assigned to me now.


Regards,
Vasu,
Fortinet Technical Support
      Vasudhendra Joshi
2014-12-22 02:15:00      
Hello Ibrahim,

I will go through the configuration file and get back to you.

We might need to have a remote session to further troubleshoot this issue.

Please let me know your convenient time frame for the same.

My work hours are from 9AM to 6PM(Dubai Time)

Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-22 04:08:00      
Hello Vasu,
You can call me any time between 9AM -6PM.
Regards,
Ibrahim
0096566373872
      Vasudhendra Joshi
2014-12-22 22:41:00      
Spoke to Ibrahim,

Currently his PC is not connected to the network (behind the FGT).

He will update the ticket when he has access to the device and setup.
      IT Support
2014-12-23 01:44:00      
Hello Vasu,
I apologize for the same. You can call me at 2:30 PM Kuwait time.
Regards,
Ibrahim
0096566373872
      Vasudhendra Joshi
2014-12-23 03:28:00      
Hello Ibrahim,

Please join the remote session with the below link:

https://global.gotomeeting.com/join/414526477

Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-23 04:48:00      
Attachment:  FTNT_putty.log;  23 Dec 2014 HAC-FG-SEC_20141223_1546.conf
Dear Vasu,
As requested by you, I am attaching the putty session file, log file for half an hour and the current config file.
Thanks.
      Vasudhendra Joshi
2014-12-23 05:30:00      
Thanks Ibrahim,

I will try to replicate the issue in our lab and get back to you.

Just a recap of our session:

- You would like to block the Internet access from specific device
- You manually added a device with the MAC
- Applied device identity policy to DENY all access from this device and allow other devices
- With the debug commands, we confirmed that the device is accessing internet via correct firewall policy
- however, in the logs, it shows a different device (in the device field)

Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-26 22:12:00      
Dear Vasu,
Please update.
Regards.
      Vasudhendra Joshi
2014-12-27 23:41:00      
Hello Ibrahim,

In my lab tests, this feature worked as expected.

However, there are not as many devices which you have in your setup and also there are no other devices in between my PC and the Fortigate which definitely makes it a different scenario.

See if the device is detected automatically, add an alias to it and create a device identity policy with ALL_ICMP blocked and move this policy to top.

Once that is done, on the Fortigate CLI, please run the below sniffer commands :

SSH Session1:

#diag sniffer packet <Internal_Interface> 'host 4.2.2.3' 6 0 a

SSH Session2:

#diag sniffer packet <External_Interface> 'host 4.2.2.3' 6 0 a

SSH Session 3:

diag debug reset
diag debug disable
diag debug enable
diag debug flow filter daddr 4.2.2.3
diag debug flow show console enable
diag debug console timestamp enable
diag debug flow trace start 50


Once the above commands are executed, try a ping from the android device to IP : 4.2.2.3. Once the ping is done, stop the capture(For sniffer capture, press ctrl+C and for SSH Session 3, type 'diag debug disable') and attach the output to the ticket.


Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-28 00:36:00      
Hello Vasu,
You have mentioned nothing new here. The same steps we already did before.
Already Created the alias for that MAC address and blocked all icmp and the policy is moved on top of the order.
Regards.
      Vasudhendra Joshi
2014-12-28 00:51:00      
Hello Ibrahim,

It is not a solution, it is just to make sure that the settings are in place and then the command output will give me the output which I can analyze further.



Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-28 01:05:00      
The output of the command is already supplied to you on 2014-12-23 04:48:00.
      IT Support
2014-12-28 01:08:00      
If you need anything else, please have a remote session.
      Vasudhendra Joshi
2014-12-30 01:40:00      
Spoke to Ibrahim,

For testing, he has disabled the ' Detect and Identify Devices ' as most of the devices which are auto-detected are not needed and he just wants to add specific devices manually to restrict the access.
- He is in process to delete the detected devices and then add a firewall policy to verify the working of it

He will provide an update on the ticket


Regards,
Vasu,
Fortinet Technical Support
0
 
LVL 61

Expert Comment

by:gheist
ID: 41125884
Which confirms that MAC you are trying to block is on different L2 isolated network. http:#40519411
0
 
LVL 12

Author Comment

by:ibu1
ID: 41126004
Yes.Whats next ? Should I accept any of your comment ?
0
 
LVL 12

Author Comment

by:ibu1
ID: 41127148
Hello,
Multiple time in my above comment have asked the expert that "Should I accept any of your comment".
0
 
LVL 12

Author Comment

by:ibu1
ID: 41127164
Please look into the below link and please advise why the asked question is shown as neglected
http://www.experts-exchange.com/questions/28776519/Backup-Exec-2014-Overwrite-and-Append-setting.html
0
 
LVL 61

Expert Comment

by:gheist
ID: 41127347
Split evenly between experts participating.
http:#40519540 (btan saying unecessary ACLs are burdensome) http:#40519456 (me saying that your firewall does not see client at Layer 2) and if you patched down the road http:#40517362
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
network + 7 73
IT Asset Management 5 49
ASA 5510 PAT question 1 22
Security risks of IM, RM & messaging systems 2 35
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now