Can I deny/block a mac address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Can I deny/block a mac address

L0 Member

Hello, 

 

I have a PA-440 firewall that has a rogue router that keeps popping up in the DHCP monitor. I was wanting to know if there is a way to block the mac address of this rogue device as it keeps causing issues.

 

Joe

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@joecastillo,

Seems like a simple solution would be to create a static DHCP reservation (reserved address if using PA-440s DHCP server) for the router's MAC and just create a security rule at the top of your rulebase denying all traffic to/from that address. 

I'd personally be taking care of this on the switch feeding this client if you can however. Anything you do directly on the firewall is just going to be denying traffic to/from the router, it isn't going to be preventing the router or anyone connected to it from communicating to other LAN hosts unless you're already taking care of that side of things. I'd be shutting down the associated switch port, when someone complains you've found out who's doing it and they'd need to remove it before the interface is turned back on. Good time to start thinking about NAC/802.1x however.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello @joecastillo

 

thanks for the post.

 

Firewall does not have an option to block MAC address. If there is a switch in between, I would block it there by configuring static MAC address table entry with drop action. If that is not the option, then I can only think of creating a fake ARP entry on Firewall Interface side: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGrCAK

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@joecastillo,

Seems like a simple solution would be to create a static DHCP reservation (reserved address if using PA-440s DHCP server) for the router's MAC and just create a security rule at the top of your rulebase denying all traffic to/from that address. 

I'd personally be taking care of this on the switch feeding this client if you can however. Anything you do directly on the firewall is just going to be denying traffic to/from the router, it isn't going to be preventing the router or anyone connected to it from communicating to other LAN hosts unless you're already taking care of that side of things. I'd be shutting down the associated switch port, when someone complains you've found out who's doing it and they'd need to remove it before the interface is turned back on. Good time to start thinking about NAC/802.1x however.

Thank you I will give this a try. 

  • 1 accepted solution
  • 3750 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!