Fortinet black logo

New Features

Improve MAC address filtering 7.2.1

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:546121
Download PDF

Improve MAC address filtering 7.2.1

This enhancement adds GUI support for configuring MAC address filters in the WiFi & Switch Controller > SSIDs page and introduces a new address-group-policy command that applies MAC filters directly from the SSID. Using address groups, you can choose if you want to permit or exclude clients based on their MAC addresses.

To create and apply a MAC address filter - GUI:
  1. Go to Policy & Objects > Addresses and select Create New > Address.
  2. Name the address and set the Type as Device (MAC Address).
  3. Enter the MAC address(es) you want to filter.

  4. When you are finished, click OK.
  5. Go to Policy & Objects > Addresses and select Create New > Address Group.
  6. Name the address group
  7. Click Members and select the address you created earlier.

  8. When you are finished, click OK.
  9. Go to WiFi & Switch Controller > SSIDs and select the SSID you want to apply the filter to.
  10. Locate Client MAC Address Filtering and select an Address group policy:
    • Disable: Disable MAC address filtering policy for MAC addresses that are in the address group. This is the default.
    • Allow: Permit clients with MAC addresses that are in the address group.
    • Deny: Deny clients with MAC addresses that are in the address group.
  11. Select the Address group you created.

  12. When you are finished, click OK.

    The SSID now accepts or denies the address group you configured.

To create and apply a MAC address filter - CLI:
  1. Create the firewall address entry and set the type to mac:

     config firewall address
      edit "client-1"
        set uuid f35b2080-a199-51ec-7d97-00495859217e
        set type mac
        set macaddr "f8:e4:e3:d8:5e:af"
      next
    end
  2. Create a firewall address group and select the address entry you just created.

     config firewall addrgrp
      edit "mac-group"
        set uuid 26260750-a19a-51ec-b054-b385dab00c07
        set member "client-1"
      next
    end
  3. Under a wireless vap interface, there is a new address-group-policy option to help control the mac filter function.

    • To allow the connection, select the created address-group and set the address-group-policy to allow:

      config wireless-controller vap
        edit "wifi.fap.01"
          set ssid "ExampleSSID"
          set passphrase ENC *
          set schedule "always"
          set address-group "mac-group"
          set address-group-policy allow
        next
      end
    • To deny the connection, select the created address-group and set the address-group-policy to deny:

      config wireless-controller vap
          edit "wifi.fap.02"
              set ssid "ExampleSSID"
              set passphrase ENC *
              set schedule "always"
              set address-group "mac-group"
              set address-group-policy deny
          next
      end

Improve MAC address filtering 7.2.1

This enhancement adds GUI support for configuring MAC address filters in the WiFi & Switch Controller > SSIDs page and introduces a new address-group-policy command that applies MAC filters directly from the SSID. Using address groups, you can choose if you want to permit or exclude clients based on their MAC addresses.

To create and apply a MAC address filter - GUI:
  1. Go to Policy & Objects > Addresses and select Create New > Address.
  2. Name the address and set the Type as Device (MAC Address).
  3. Enter the MAC address(es) you want to filter.

  4. When you are finished, click OK.
  5. Go to Policy & Objects > Addresses and select Create New > Address Group.
  6. Name the address group
  7. Click Members and select the address you created earlier.

  8. When you are finished, click OK.
  9. Go to WiFi & Switch Controller > SSIDs and select the SSID you want to apply the filter to.
  10. Locate Client MAC Address Filtering and select an Address group policy:
    • Disable: Disable MAC address filtering policy for MAC addresses that are in the address group. This is the default.
    • Allow: Permit clients with MAC addresses that are in the address group.
    • Deny: Deny clients with MAC addresses that are in the address group.
  11. Select the Address group you created.

  12. When you are finished, click OK.

    The SSID now accepts or denies the address group you configured.

To create and apply a MAC address filter - CLI:
  1. Create the firewall address entry and set the type to mac:

     config firewall address
      edit "client-1"
        set uuid f35b2080-a199-51ec-7d97-00495859217e
        set type mac
        set macaddr "f8:e4:e3:d8:5e:af"
      next
    end
  2. Create a firewall address group and select the address entry you just created.

     config firewall addrgrp
      edit "mac-group"
        set uuid 26260750-a19a-51ec-b054-b385dab00c07
        set member "client-1"
      next
    end
  3. Under a wireless vap interface, there is a new address-group-policy option to help control the mac filter function.

    • To allow the connection, select the created address-group and set the address-group-policy to allow:

      config wireless-controller vap
        edit "wifi.fap.01"
          set ssid "ExampleSSID"
          set passphrase ENC *
          set schedule "always"
          set address-group "mac-group"
          set address-group-policy allow
        next
      end
    • To deny the connection, select the created address-group and set the address-group-policy to deny:

      config wireless-controller vap
          edit "wifi.fap.02"
              set ssid "ExampleSSID"
              set passphrase ENC *
              set schedule "always"
              set address-group "mac-group"
              set address-group-policy deny
          next
      end