topic Please suggest about mac-address control in General Topics

Please suggest about mac-address control

Pattarachai — Wed, 13 Jun 2018 08:48:26 GMT

Hi expert ,

I would like to know about suggest mac-control because my customer use Fortinet which use device control and I will replace and migrate to Palo-alto if that possible about control this thing .

Thank you

Re: Please suggest about mac-address control

BPry — Wed, 13 Jun 2018 13:21:03 GMT

@Pattarachai,

Like they're using mac-control to hand out IPs to their network on the Fortinet? It's been a while since I worked on anything Fortinet but I thought that this was on the Fortigate and it was specific to the wireless side of things, but that could have changed.

Generally this is something that you would configure on the LAN via your switches; I'm not sure why someone would have ever configured this to work directly on the firewall unless this is a very small office. Regardless it's something that you can do on the firewall as long as the firewall is handing out the IP addresses, but there's a better way of doing this. Since the firewall can do user identification you can easily run GlobalProtect within the LAN and simply not allow any communication if the ip in question doesn't have an active user-mapping.

If the customer is dead set on controlling things via a mac address then set it up correctly and do it on their switches, don't do it on the firewall. If you implement something like this on the firewall there isn't anything stopping someone from wreaking havic across a local switch, because they never have to go through the firewall to do so.

Re: Please suggest about mac-address control

Remo — Wed, 13 Jun 2018 15:51:12 GMT

Hi @Pattarachai

The short answer is: no this cannot be done the same way as on the fortinet. As already mentionned by @BPry there are other ways to achieve kind of the same with paloalto, but the main difference because this is not possible is that paloalto does not produce switching hardware, what fortinet does with dedicated switches and integrated switching modules on their UTM firewalls. It depends on how this is done today but this is a job for a switch (for what your customer now probably uses the fortinet, right?)

Re: Please suggest about mac-address control

OtakarKlier — Fri, 15 Jun 2018 14:22:46 GMT

Hello,

I would suggest looking into user-id based access. I think it is a better method since it is more flexible. You can always use IP address and have the DHCP server check the mac's?

Just some thoughts.

Re: Please suggest about mac-address control

pulukas — Sat, 16 Jun 2018 14:54:45 GMT

Assuming Fortinet uses 802.1x controls for this you could replace that part with another vendor like Aruba and feed the associations over to the PAN device when they are created.

Re: Please suggest about mac-address control

Pattarachai — Wed, 20 Jun 2018 02:34:28 GMT

Hi all

Currently, I suggest customer deploy User-ID-Agent already Thank you so much, everyone for suggest to me