Fortinet black logo

Cookbook

MAC addressed-based policies

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:407159
Download PDF

MAC addressed-based policies

MAC address ranges can be added to the following IPv4 policies:

  • Firewall
  • Virtual wire pair
  • ACL
  • Central SNAT
  • DoS

A MAC address is a link layer-based address type and it cannot be forwarded across different IP segments.

FortiOS only supports the MAC address type as source address for policies in NAT mode VDOM. When you use the MAC address type in a policy as source address in NAT mode VDOM, IP address translation (NAT) is still performed according to the rules defined in the policy. The MAC address type only works for source address matching. It does not have any association with NAT actions.

For policies in transparent mode or the virtual wire pair interface, you can use the MAC address type as source or destination address.

To configure a MAC address range using the GUI:
  1. Go to Policy & Objects > Addresses to create or edit an address:
    1. For Category, select Address.
    2. For Type, select MAC Address Range.
    3. Enter the address range in the empty fields.
    4. Configure the other fields as needed.
    5. Click OK.

  2. Go to Policy & Objects > IPv4 Policy to apply the address type to a policy in NAT mode VDOM:
    1. For Source, select the MAC address you just configured.
    2. For Destination, select an address.
      Note

      In NAT mode VDOM, this address type cannot be used as destination address.

    3. Click OK.

To configure a MAC address range using the CLI:
  1. Create a new MAC address range type:
    config firewall address
        edit <object_name>
            set type mac
            set start-mac <mac_address_start #>
            set end-mac <mac_address_end #>
        next
    end
  2. Apply the address type to a policy. In transparent mode or the virtual wire pair interface, this address type can be mixed with other address types in the policy:
    config firewall address
        edit "test-mac-addr1"
            set type mac
            set start-mac 00:0c:29:41:98:88
            set end-mac 00:0c:29:41:98:88
        next
    end
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "test-mac-addr1" "10-1-100-42"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
        next
    end

MAC addressed-based policies

MAC address ranges can be added to the following IPv4 policies:

  • Firewall
  • Virtual wire pair
  • ACL
  • Central SNAT
  • DoS

A MAC address is a link layer-based address type and it cannot be forwarded across different IP segments.

FortiOS only supports the MAC address type as source address for policies in NAT mode VDOM. When you use the MAC address type in a policy as source address in NAT mode VDOM, IP address translation (NAT) is still performed according to the rules defined in the policy. The MAC address type only works for source address matching. It does not have any association with NAT actions.

For policies in transparent mode or the virtual wire pair interface, you can use the MAC address type as source or destination address.

To configure a MAC address range using the GUI:
  1. Go to Policy & Objects > Addresses to create or edit an address:
    1. For Category, select Address.
    2. For Type, select MAC Address Range.
    3. Enter the address range in the empty fields.
    4. Configure the other fields as needed.
    5. Click OK.

  2. Go to Policy & Objects > IPv4 Policy to apply the address type to a policy in NAT mode VDOM:
    1. For Source, select the MAC address you just configured.
    2. For Destination, select an address.
      Note

      In NAT mode VDOM, this address type cannot be used as destination address.

    3. Click OK.

To configure a MAC address range using the CLI:
  1. Create a new MAC address range type:
    config firewall address
        edit <object_name>
            set type mac
            set start-mac <mac_address_start #>
            set end-mac <mac_address_end #>
        next
    end
  2. Apply the address type to a policy. In transparent mode or the virtual wire pair interface, this address type can be mixed with other address types in the policy:
    config firewall address
        edit "test-mac-addr1"
            set type mac
            set start-mac 00:0c:29:41:98:88
            set end-mac 00:0c:29:41:98:88
        next
    end
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "test-mac-addr1" "10-1-100-42"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
        next
    end