11-08-2022 04:14 PM
Hello,
I have a PA-440 firewall that has a rogue router that keeps popping up in the DHCP monitor. I was wanting to know if there is a way to block the mac address of this rogue device as it keeps causing issues.
Joe
11-09-2022 05:45 AM
Seems like a simple solution would be to create a static DHCP reservation (reserved address if using PA-440s DHCP server) for the router's MAC and just create a security rule at the top of your rulebase denying all traffic to/from that address.
I'd personally be taking care of this on the switch feeding this client if you can however. Anything you do directly on the firewall is just going to be denying traffic to/from the router, it isn't going to be preventing the router or anyone connected to it from communicating to other LAN hosts unless you're already taking care of that side of things. I'd be shutting down the associated switch port, when someone complains you've found out who's doing it and they'd need to remove it before the interface is turned back on. Good time to start thinking about NAC/802.1x however.
11-08-2022 10:44 PM
Hello @joecastillo
thanks for the post.
Firewall does not have an option to block MAC address. If there is a switch in between, I would block it there by configuring static MAC address table entry with drop action. If that is not the option, then I can only think of creating a fake ARP entry on Firewall Interface side: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGrCAK
Kind Regards
Pavel
11-09-2022 05:45 AM
Seems like a simple solution would be to create a static DHCP reservation (reserved address if using PA-440s DHCP server) for the router's MAC and just create a security rule at the top of your rulebase denying all traffic to/from that address.
I'd personally be taking care of this on the switch feeding this client if you can however. Anything you do directly on the firewall is just going to be denying traffic to/from the router, it isn't going to be preventing the router or anyone connected to it from communicating to other LAN hosts unless you're already taking care of that side of things. I'd be shutting down the associated switch port, when someone complains you've found out who's doing it and they'd need to remove it before the interface is turned back on. Good time to start thinking about NAC/802.1x however.
11-16-2022 07:34 PM
Thank you I will give this a try.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
