MAC address-based policies
MAC addresses can be added to the following IPv4 policies:
-
Firewall
-
Virtual wire pair
-
ACL
-
Central SNAT
-
DoS
A MAC address is a link layer-based address type and it cannot be forwarded across different IP segments. In FortiOS, you can configure a firewall address object with a singular MAC, wildcard MAC, multiple MACs, or a MAC range.
FortiOS only supports the MAC address type as source address for policies in NAT mode VDOM. When you use the MAC address type in a policy as source address in NAT mode VDOM, IP address translation (NAT) is still performed according to the rules defined in the policy. The MAC address type only works for source address matching. It does not have any association with NAT actions.
For policies in transparent mode or the virtual wire pair interface, you can use the MAC address type as source or destination address.
To configure a MAC address using the GUI:
-
Go to Policy & Objects > Addresses and select Address.
-
Click Create new.
-
Enter a name.
-
For Category, select Address.
-
For Type, select Device (MAC Address).
-
Enter the MAC address.
-
Click OK.
-
Go to Policy & Objects > Firewall Policy to apply the address type to a policy in NAT mode VDOM:
-
For Source, select the MAC address you just configured.
-
For Destination, select an address.
In NAT mode VDOM, this address type cannot be used as destination address.
-
Configure the other settings as needed.
-
Click OK.
-
To configure a MAC address using the CLI:
-
Create a new MAC address:
config firewall address edit "test-mac-addr-1" set type mac set macaddr 00:0c:29:41:98:88 next end
-
Apply the address type to a policy. In transparent mode or the virtual wire pair interface, this address type can be mixed with other address types in the policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "test-mac-addr-1" "10-1-100-42" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable next end
Device & OS Identification dynamic address subtype
Another type of MAC address object is the dynamic Device & OS identification subtype. This firewall address subtype is an advanced feature that can be used in policies that support dynamic address subtypes, and it relies on device detection configured on the interface connected to user devices to determine device information.
The FortiGate will update the dynamic address used in firewall policies based on the MAC address and other device and OS information for devices matching configured criteria. The criteria could be hardware vendor, hardware model, software OS, software version, or a combination of these parameters.
Only existing devices whose device information has already been detected by the FortiGate and is known can be added to this dynamic address subtype. |
Similar to MAC address-based objects, the dynamic address subtype can be used as a source address for firewall policies, proxy policies, and ZTNA rules. The dynamic address subtype can be used as a source or destination address for transparent mode policies or a virtual wire pair policy.
To use the dynamic Device & OS Identification subtype, go to System > Feature Visibility and enable Dynamic Device & OS Identification. Once enabled, the dynamic address subtype can be configured on the Policy & Objects > Addresses page.