MAC address threat feed
A MAC address threat feed is a dynamic list that contains MAC addresses, MAC ranges, and MAC OUIs. The list is periodically updated from an external server and stored in text file format on an external server. After the FortiGate imports this list, it can be used as a source in firewall policies, proxy policies, and ZTNA rules. For policies in transparent mode or virtual wire pair policies, the MAC address threat feed can be used as a source or destination address.
Text file example:
01:01:01:01:01:01 01:01:01:01:01:01-01:01:02:50:20:ff 8c:aa:b5
The file contains one MAC address, MAC range, or MAC OUI per line. See External resources file format for more information about the MAC list formatting style.
Example configuration
In this example, a list of MAC addresses is imported using the MAC address threat feed. The newly created threat feed is then used as a source in a firewall policy with the action set to accept. Any traffic from the client MAC addresses that match the defined firewall policy will be allowed.
To configure a MAC address threat feed in the GUI:
- Go to Security Fabric > External Connectors and click Create New.
- In the Threat Feeds section, click MAC Address.
- Set the Name to MAC_List.
- Set the Update method to External Feed.
- Set the URL of external resource to http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt.
- Configure the remaining settings as required, then click OK.
- Edit the connector, then click View Entries to view the MAC addresses in the feed.
To configure a MAC address threat feed in the CLI:
config system external-resource edit "MAC_List" set type mac-address set resource "http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt" set server-identity-check {none | basic | full} next end
To improve the security of the connection, it is recommended to enable server certificate validation ( |
To apply a MAC address threat feed in a firewall policy in the GUI:
-
Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
-
Configure the policy fields as required.
-
In the Source field, click the + and select MAC_List from the list (in the MAC ADDRESS FEED section).
-
Set Action to ACCEPT.
-
Click OK.
To apply a MAC address threat feed in a firewall policy in the CLI:
config firewall policy edit 1 set name "MAC-traffic" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "MAC_List" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set utm-status enable set profile-protocol-options "protocol" set nat enable next end
To verify the MAC addresses used in the firewall policy:
# diagnose sys external-mac-resource list MAC_List MAC ranges of uuid-idx 574 (num=1) be:d1:6b:0d:20:61-be:d1:6b:0d:20:61