topic Can I deny/block a mac address in General Topics

Can I deny/block a mac address

joecastillo — Wed, 09 Nov 2022 00:14:06 GMT

Hello,

I have a PA-440 firewall that has a rogue router that keeps popping up in the DHCP monitor. I was wanting to know if there is a way to block the mac address of this rogue device as it keeps causing issues.

Joe

Re: Can I deny/block a mac address

PavelK — Wed, 09 Nov 2022 06:44:10 GMT

Hello @joecastillo

thanks for the post.

Firewall does not have an option to block MAC address. If there is a switch in between, I would block it there by configuring static MAC address table entry with drop action. If that is not the option, then I can only think of creating a fake ARP entry on Firewall Interface side: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGrCAK

Kind Regards

Pavel

Re: Can I deny/block a mac address

BPry — Wed, 09 Nov 2022 13:45:16 GMT

@joecastillo,

Seems like a simple solution would be to create a static DHCP reservation (reserved address if using PA-440s DHCP server) for the router's MAC and just create a security rule at the top of your rulebase denying all traffic to/from that address.

I'd personally be taking care of this on the switch feeding this client if you can however. Anything you do directly on the firewall is just going to be denying traffic to/from the router, it isn't going to be preventing the router or anyone connected to it from communicating to other LAN hosts unless you're already taking care of that side of things. I'd be shutting down the associated switch port, when someone complains you've found out who's doing it and they'd need to remove it before the interface is turned back on. Good time to start thinking about NAC/802.1x however.

Re: Can I deny/block a mac address

joecastillo — Thu, 17 Nov 2022 03:34:50 GMT

Thank you I will give this a try.