Fortinet white logo
Fortinet white logo

Administration Guide

MAC address threat feed

MAC address threat feed

A MAC address threat feed is a dynamic list that contains MAC addresses, MAC ranges, and MAC OUIs. The list is periodically updated from an external server and stored in text file format on an external server. After the FortiGate imports this list, it can be used as a source in firewall policies, proxy policies, and ZTNA rules. For policies in transparent mode or virtual wire pair policies, the MAC address threat feed can be used as a source or destination address.

Text file example:

01:01:01:01:01:01
01:01:01:01:01:01-01:01:02:50:20:ff
8c:aa:b5

The file contains one MAC address, MAC range, or MAC OUI per line. See External resources file format for more information about the MAC list formatting style.

Example configuration

In this example, a list of MAC addresses is imported using the MAC address threat feed. The newly created threat feed is then used as a source in a firewall policy with the action set to accept. Any traffic from the client MAC addresses that match the defined firewall policy will be allowed.

To configure a MAC address threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click MAC Address.
  3. Set the Name to MAC_List.
  4. Set the Update method to External Feed.
  5. Set the URL of external resource to http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt.
  6. Configure the remaining settings as required, then click OK.
  7. Edit the connector, then click View Entries to view the MAC addresses in the feed.

To configure a MAC address threat feed in the CLI:
config system external-resource
    edit "MAC_List"
        set type mac-address 
        set resource "http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt"
        set server-identity-check {none | basic | full}
    next
end
Note

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode. By default, it is set to none.

To apply a MAC address threat feed in a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. In the Source field, click the + and select MAC_List from the list (in the MAC ADDRESS FEED section).

  4. Set Action to ACCEPT.

  5. Click OK.

To apply a MAC address threat feed in a firewall policy in the CLI:
config firewall policy
    edit 1
        set name "MAC-traffic"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "MAC_List"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set nat enable
    next
end
To verify the MAC addresses used in the firewall policy:
# diagnose sys external-mac-resource list MAC_List
MAC ranges of uuid-idx 574 (num=1)
be:d1:6b:0d:20:61-be:d1:6b:0d:20:61

MAC address threat feed

MAC address threat feed

A MAC address threat feed is a dynamic list that contains MAC addresses, MAC ranges, and MAC OUIs. The list is periodically updated from an external server and stored in text file format on an external server. After the FortiGate imports this list, it can be used as a source in firewall policies, proxy policies, and ZTNA rules. For policies in transparent mode or virtual wire pair policies, the MAC address threat feed can be used as a source or destination address.

Text file example:

01:01:01:01:01:01
01:01:01:01:01:01-01:01:02:50:20:ff
8c:aa:b5

The file contains one MAC address, MAC range, or MAC OUI per line. See External resources file format for more information about the MAC list formatting style.

Example configuration

In this example, a list of MAC addresses is imported using the MAC address threat feed. The newly created threat feed is then used as a source in a firewall policy with the action set to accept. Any traffic from the client MAC addresses that match the defined firewall policy will be allowed.

To configure a MAC address threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click MAC Address.
  3. Set the Name to MAC_List.
  4. Set the Update method to External Feed.
  5. Set the URL of external resource to http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt.
  6. Configure the remaining settings as required, then click OK.
  7. Edit the connector, then click View Entries to view the MAC addresses in the feed.

To configure a MAC address threat feed in the CLI:
config system external-resource
    edit "MAC_List"
        set type mac-address 
        set resource "http://172.16.200.55/external-resources/Ext-Resource-Type-as-Address-mac-1.txt"
        set server-identity-check {none | basic | full}
    next
end
Note

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode. By default, it is set to none.

To apply a MAC address threat feed in a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. In the Source field, click the + and select MAC_List from the list (in the MAC ADDRESS FEED section).

  4. Set Action to ACCEPT.

  5. Click OK.

To apply a MAC address threat feed in a firewall policy in the CLI:
config firewall policy
    edit 1
        set name "MAC-traffic"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "MAC_List"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set nat enable
    next
end
To verify the MAC addresses used in the firewall policy:
# diagnose sys external-mac-resource list MAC_List
MAC ranges of uuid-idx 574 (num=1)
be:d1:6b:0d:20:61-be:d1:6b:0d:20:61