Block MAC address through Fortigate firewall 100 D

MAC addresses can be blocked on a managed network switch.

FortiGate support ipmacbinding, need to enable enable IP/MAC binding for an individual FortiGate unit network interface. Note that it will only help when devices being restricted reside on the same network segment as a FortiGate interface. e.g. Syntax:

config firewall ipmacbinding setting
set bindthroughfw {enable | disable}  - this is enabling IPMAC binding to get through a Firewall.
set bindtofw {enable | disable}  - this will check an IP MAC binding combination to allow access TO the firewall
set undefinedhost {allow | block} - this defines how the Firewall will treat traffic that has not been bound
end

Hello,
I want to enable the mac blockage on firewall only. Below is the current scenario
Remote branch 10.10.24.0. Router 10.10.24.1. DHCP range 10.10.24.200-10.10.24.250. Route 0.0.0.0 0.0.0.0 10.10.1.35
HO : 10.10.1.0 , Firewall IP Address 10.10.1.35
Thanks.

Do see this example which helps http://itzecurity.blogspot.sg/2014/07/mac-black-list-packet-drop-if-dhcp.html
mainly the ip/mac table need to be populated (manual (a) or automatically via  FortiGate as DHCP server (b)) and enable the ipmac on the interface to enforce this check. But do note some points on the scheme (a) and (b)

(a) - When ip/mac binding is enabled on the interface, any changes to the client IP address needs to be updated in the table. This is especially for those static bindings manually entered. Also do update in event a new computer is added to the network. If these are not updated timely, the new or changed hosts may be deny access (depends on the FW setting).

(b) -  When a client's MAC address is automatically registered in the IP/MAC binding table via the above-mentioned DHCP scheme.  This simplify the binding configuration, but be wary that this update can also include untrusted hosts, if the latter are allowed to access the DHCP server.  So do ensure only trusted internal clients have access to the DHCP server

Specifically, on top of the table population and binding to interface,   below is an example to enable IP/MAC binding going to and going through the firewall, and block undefined hosts (IP/MAC address pairs).

config firewall ipmacbinding setting
set bindthroughfw enable
set bindtofw enable
set undefinedhost block
end

The DHCP server which gives IP Address is on different network. I want to enable block MAC on firewall itself.
Thanks.

You can assign the mac on concern as stated in the link sharing the syntax for creating manual entries in the ipmacbinding table http://kb.fortinet.com/kb/viewContent.do?externalId=FD30158

config firewall ipmacbinding table
edit <index_int> - the number in the IP/MAC binding table
set ip <address_ipv4> - IP address value
set mac <address_hex>  - MAC address value
set name <name_str> - the name which may be used for this binding
set status {enable | disable} - is the binding now enabled
end

Yes, you can enable according to description, but it will be very inefficient and most likely not block anything because:
1) Packets on the same subnet an arrive from any router's MAC on same subnet so you have to block those too effectively blocking all other subnts
2) Changing a MAC is easy as pie unless you use MAC ACLs on network switch
3) Since it is DHCP - why dont you make it fixed IP and block IP?
So you do not have either authority or capability or position to do such blocking - in short - ask your network administrator for assistance.

Hello,
The reason behind not giving fixed IP is these subnet users are having their own mobile and they know how to change the IP address and there are lot of access point to enable the MAC filter on them.
Thanks.

I have created a ticket with fortigate support. Will post you the solution soon.
Thanks.

Sorry but ticket will not make MAC of billions of wifi cards unchangeable.
It is not much more complex than changing IP.
Your approach is wrong from the beginning. Why dont you set up some sort of wifi access controller to properly account who does bad things?

Lets see. When I opened the ticket with fortigate , they just accept what I try to achieve and they created one policy but unable to block that particular MAC. They have taken the logs to test is their lab and will get back to me.
Thanks to all the Experts for their comments.

I've requested that this question be deleted for the following reason:

No perfect answer.

Striving for perfection can you share the perfect fortigate answer summarized in one sentence?

Even no perfect answer from Fortigate support. Called me back and forth to take remote access to router and wasted lot of time. I can accept any of your comment to give you consolation prize :).

Can you summarize their answer?

There is no answer from them.

IT Support
2014-12-21 01:58:00      
Attachment:  21 Dec 2014 HAC-FG-SEC_20141221_0933.conf
In order for Fortinet Technical Support to provide you with the optimum level of service, we request that the following information be provided:
1. A problem description : I want to create policy based on device identity so I can able to block mac address. When I create device policy by default under the configure authentication rules , it deny all device. Under the all device group there are some ip address added automatically which are valid PC ip address and I want internet access for them. I even cannot edit that rule to make it allow instead of deny.
2. Relevant background information (Has the configuration worked in the past? Is this a new configuration? Have any changes been made recently to the Fortinet device or application or on the network?) : This is the first time I want to create policy based on mac address.
3. A network diagram with the IP addressing clearly indicated : The IP Address on the firewall device is 10.10.1.35 with two service provider as wan1 and wan2 interface.
4. Configuration file(s): Attached is the configuration file.
5. Debug log(s)
6. A description and the results of your troubleshooting steps
      IT Support
2014-12-21 02:03:00      
Additional Email ID: ibrahimb@hassanabul.com
      IT Support
2014-12-21 23:33:00      
Dear Support Team,
Kindly update.
      Vasudhendra Joshi
2014-12-22 02:12:00      
Dear Customer,

Thank you for contacting Fortinet Technical Support. My name is Vasu and this ticket is assigned to me now.


Regards,
Vasu,
Fortinet Technical Support
      Vasudhendra Joshi
2014-12-22 02:15:00      
Hello Ibrahim,

I will go through the configuration file and get back to you.

We might need to have a remote session to further troubleshoot this issue.

Please let me know your convenient time frame for the same.

My work hours are from 9AM to 6PM(Dubai Time)

Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-22 04:08:00      
Hello Vasu,
You can call me any time between 9AM -6PM.
Regards,
Ibrahim
0096566373872
      Vasudhendra Joshi
2014-12-22 22:41:00      
Spoke to Ibrahim,

Currently his PC is not connected to the network (behind the FGT).

He will update the ticket when he has access to the device and setup.
      IT Support
2014-12-23 01:44:00      
Hello Vasu,
I apologize for the same. You can call me at 2:30 PM Kuwait time.
Regards,
Ibrahim
0096566373872
      Vasudhendra Joshi
2014-12-23 03:28:00      
Hello Ibrahim,

Please join the remote session with the below link:

https://global.gotomeeting.com/join/414526477

Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-23 04:48:00      
Attachment:  FTNT_putty.log;  23 Dec 2014 HAC-FG-SEC_20141223_1546.conf
Dear Vasu,
As requested by you, I am attaching the putty session file, log file for half an hour and the current config file.
Thanks.
      Vasudhendra Joshi
2014-12-23 05:30:00      
Thanks Ibrahim,

I will try to replicate the issue in our lab and get back to you.

Just a recap of our session:

- You would like to block the Internet access from specific device
- You manually added a device with the MAC
- Applied device identity policy to DENY all access from this device and allow other devices
- With the debug commands, we confirmed that the device is accessing internet via correct firewall policy
- however, in the logs, it shows a different device (in the device field)

Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-26 22:12:00      
Dear Vasu,
Please update.
Regards.
      Vasudhendra Joshi
2014-12-27 23:41:00      
Hello Ibrahim,

In my lab tests, this feature worked as expected.

However, there are not as many devices which you have in your setup and also there are no other devices in between my PC and the Fortigate which definitely makes it a different scenario.

See if the device is detected automatically, add an alias to it and create a device identity policy with ALL_ICMP blocked and move this policy to top.

Once that is done, on the Fortigate CLI, please run the below sniffer commands :

SSH Session1:

#diag sniffer packet <Internal_Interface> 'host 4.2.2.3' 6 0 a

SSH Session2:

#diag sniffer packet <External_Interface> 'host 4.2.2.3' 6 0 a

SSH Session 3:

diag debug reset
diag debug disable
diag debug enable
diag debug flow filter daddr 4.2.2.3
diag debug flow show console enable
diag debug console timestamp enable
diag debug flow trace start 50


Once the above commands are executed, try a ping from the android device to IP : 4.2.2.3. Once the ping is done, stop the capture(For sniffer capture, press ctrl+C and for SSH Session 3, type 'diag debug disable') and attach the output to the ticket.


Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-28 00:36:00      
Hello Vasu,
You have mentioned nothing new here. The same steps we already did before.
Already Created the alias for that MAC address and blocked all icmp and the policy is moved on top of the order.
Regards.
      Vasudhendra Joshi
2014-12-28 00:51:00      
Hello Ibrahim,

It is not a solution, it is just to make sure that the settings are in place and then the command output will give me the output which I can analyze further.



Regards,
Vasu,
Fortinet Technical Support
      IT Support
2014-12-28 01:05:00      
The output of the command is already supplied to you on 2014-12-23 04:48:00.
      IT Support
2014-12-28 01:08:00      
If you need anything else, please have a remote session.
      Vasudhendra Joshi
2014-12-30 01:40:00      
Spoke to Ibrahim,

For testing, he has disabled the ' Detect and Identify Devices ' as most of the devices which are auto-detected are not needed and he just wants to add specific devices manually to restrict the access.
- He is in process to delete the detected devices and then add a firewall policy to verify the working of it

He will provide an update on the ticket


Regards,
Vasu,
Fortinet Technical Support

Which confirms that MAC you are trying to block is on different L2 isolated network. http:#40519411

Yes.Whats next ? Should I accept any of your comment ?

Hello,
Multiple time in my above comment have asked the expert that "Should I accept any of your comment".

Please look into the below link and please advise why the asked question is shown as neglected
https://www.experts-exchange.com/questions/28776519/Backup-Exec-2014-Overwrite-and-Append-setting.html

Split evenly between experts participating.
http:#40519540 (btan saying unecessary ACLs are burdensome) http:#40519456 (me saying that your firewall does not see client at Layer 2) and if you patched down the road http:#40517362