This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

MAC address filter and DHCP enforced...

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

MAC address filter and DHCP enforced...

gebis
Not applicable

‎03-27-2012 11:40 PM

Hi!

Is it possible to create Policies based on MAC address instead of IP addresses?

Also, can we enforce DHCP clients only mode?  Meaning that the firewall only allows those who obtained IP's from the DHCP server.  Seems like DD-WRT got the DHCP-Authoritative option:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=650805

thx!

0 Likes Likes
3 REPLIES 3

mikand
L6 Presenter

‎03-28-2012 12:33 AM

Regarding your first question a workaround might be to use static arp for each ip. But this will fail if a particular client can get different ip's depending on when it connected physically to your network.

And I dont think PA currently supports a mapping between the internal DHCP server and security rules - you might need to contact your Sales rep to file this as a feature request.

As a sidenote I strongly believe that these kind of operations should be taken care of by the network itself and not the firewall.

Meaning that you should use dhcp-snopping (along with option82 including dynamic acl which means that the dhcp snooping in your switch will setup an acl to only allow the ip which the dhcp server told the client to use on a particular interface) preferly along with protected vlan (to isolate clients from each other).

This way if a client who doesnt use dhcp connects to your switch it wont be able to speak to anyone. Those clients who connects and get an ip address then only this ip (per interface) will be able to communicate to your PAN (assuming your design is PAN <-> switch <-> clients).

gebis
Not applicable
In response to mikand

‎03-28-2012 07:27 PM

Thank you for the prompt reply.

Do you think if we use VLAN and TAG setup on the firewall together with a L3 switch with the VLAN and TAG configuration, we will be able to do similar access control by using MAC?

0 Likes Likes

Retired Member
Not applicable
In response to gebis

‎03-28-2012 09:44 PM

PAN devices cannot have rules based on MAC addresses per se. Session flow key includes following in sextuple:

Source IP

Source port

Destination IP

Destination port

Protocol
Zone

Having said that, if in L3 mode then there would be no way to have security rules act based on MAC address. If in L2 mode then it will depend on L2 forwarding based on MAC address. In general if you need do to any sort of filtering of MAC addresses then this really needs to be done on L2 devices. That means the switch and not PA which looks at L3 and up.

-Richard

0 Likes Likes
  • 6326 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks