Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    MAC address threat feed

    MAC address threat feed

    Note

    This information is also available in the FortiOS 7.4 Administration Guide:

    A MAC address threat feed is a dynamic list that contains MAC addresses, MAC ranges, and MAC OUIs. The list is periodically updated from an external server and stored in text file format on an external server. After the FortiGate imports this list, it can be used as a source in firewall policies, proxy policies, and ZTNA rules. For policies in transparent mode or virtual wire pair policies, the MAC address threat feed can be used as a source or destination address.

    Text file example:

    01:01:01:01:01:01
01:01:01:01:01:01-01:01:02:50:20:ff
8c:aa:b5

    The file contains one MAC address, MAC range, or MAC OUI per line.

    Example configuration

    In this example, a list of MAC addresses is imported using the MAC address threat feed. The newly created threat feed is then used as a source in a firewall policy with the action set to accept. Any traffic from the client MAC addresses that match the defined firewall policy will be allowed.

    To configure a MAC address threat feed in the GUI:
    1. Go to Security Fabric > External Connectors and click Create New.
    2. In the Threat Feeds section, click MAC Address.
    3. Set the Name to MAC_List.
    4. Set the Update method to External Feed.
    5. Set the URL of external resource to http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt.
    6. Configure the remaining settings as required, then click OK.
    7. Edit the connector, then click View Entries to view the MAC addresses in the feed.

    To configure a MAC address threat feed in the CLI:
    config system external-resource
    edit "MAC_List"
        set type mac-address 
        set resource "http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt"
        set server-identity-check {none | basic | full}
    next
end
    Note

    To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode. By default, it is set to none.
    To apply a MAC address threat feed in a firewall policy in the GUI:

    1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

    2. Configure the policy fields as required.

    3. In the Source field, click the + and select MAC_List from the list (in the MAC ADDRESS FEED section).

    4. Set Action to ACCEPT.

    5. Click OK.

    To apply a MAC address threat feed in a firewall policy in the CLI:
    config firewall policy
    edit 1
        set name "MAC-traffic"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "MAC_List"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set nat enable
    next
end
    To verify the MAC addresses used in the firewall policy:
    # diagnose sys external-mac-resource list MAC_List
MAC ranges of uuid-idx 574 (num=1)
be:d1:6b:0d:20:61-be:d1:6b:0d:20:61
    Previous
    Next

    MAC address threat feed

    MAC address threat feed

    Note

    This information is also available in the FortiOS 7.4 Administration Guide:

    A MAC address threat feed is a dynamic list that contains MAC addresses, MAC ranges, and MAC OUIs. The list is periodically updated from an external server and stored in text file format on an external server. After the FortiGate imports this list, it can be used as a source in firewall policies, proxy policies, and ZTNA rules. For policies in transparent mode or virtual wire pair policies, the MAC address threat feed can be used as a source or destination address.

    Text file example:

    01:01:01:01:01:01
01:01:01:01:01:01-01:01:02:50:20:ff
8c:aa:b5

    The file contains one MAC address, MAC range, or MAC OUI per line.

    Example configuration

    In this example, a list of MAC addresses is imported using the MAC address threat feed. The newly created threat feed is then used as a source in a firewall policy with the action set to accept. Any traffic from the client MAC addresses that match the defined firewall policy will be allowed.

    To configure a MAC address threat feed in the GUI:
    1. Go to Security Fabric > External Connectors and click Create New.
    2. In the Threat Feeds section, click MAC Address.
    3. Set the Name to MAC_List.
    4. Set the Update method to External Feed.
    5. Set the URL of external resource to http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt.
    6. Configure the remaining settings as required, then click OK.
    7. Edit the connector, then click View Entries to view the MAC addresses in the feed.

    To configure a MAC address threat feed in the CLI:
    config system external-resource
    edit "MAC_List"
        set type mac-address 
        set resource "http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt"
        set server-identity-check {none | basic | full}
    next
end
    Note

    To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode. By default, it is set to none.
    To apply a MAC address threat feed in a firewall policy in the GUI:

    1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

    2. Configure the policy fields as required.

    3. In the Source field, click the + and select MAC_List from the list (in the MAC ADDRESS FEED section).

    4. Set Action to ACCEPT.

    5. Click OK.

    To apply a MAC address threat feed in a firewall policy in the CLI:
    config firewall policy
    edit 1
        set name "MAC-traffic"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "MAC_List"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set nat enable
    next
end
    To verify the MAC addresses used in the firewall policy:
    # diagnose sys external-mac-resource list MAC_List
MAC ranges of uuid-idx 574 (num=1)
be:d1:6b:0d:20:61-be:d1:6b:0d:20:61
    Previous
    Next