Please suggest about mac-address control

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Please suggest about mac-address control

L3 Networker

Hi expert ,

 

I would like to know about suggest mac-control because  my customer  use Fortinet which use device control   and I will replace and migrate  to Palo-alto if that possible about control this thing .

 

Thank you 

 

 

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @Pattarachai

 

The short answer is: no this cannot be done the same way as on the fortinet. As already mentionned by @BPry there are other ways to achieve kind of the same with paloalto, but the main difference because this is not possible is that paloalto does not produce switching hardware, what fortinet does with dedicated switches and integrated switching modules on their UTM firewalls. It depends on how this is done today but this is a job for a switch (for what your customer now probably uses the fortinet, right?)

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

@Pattarachai,

Like they're using mac-control to hand out IPs to their network on the Fortinet? It's been a while since I worked on anything Fortinet but I thought that this was on the Fortigate and it was specific to the wireless side of things, but that could have changed. 

Generally this is something that you would configure on the LAN via your switches; I'm not sure why someone would have ever configured this to work directly on the firewall unless this is a very small office. Regardless it's something that you can do on the firewall as long as the firewall is handing out the IP addresses, but there's a better way of doing this. Since the firewall can do user identification you can easily run GlobalProtect within the LAN and simply not allow any communication if the ip in question doesn't have an active user-mapping. 

 

If the customer is dead set on controlling things via a mac address then set it up correctly and do it on their switches, don't do it on the firewall. If you implement something like this on the firewall there isn't anything stopping someone from wreaking havic across a local switch, because they never have to go through the firewall to do so. 

L7 Applicator

Hi @Pattarachai

 

The short answer is: no this cannot be done the same way as on the fortinet. As already mentionned by @BPry there are other ways to achieve kind of the same with paloalto, but the main difference because this is not possible is that paloalto does not produce switching hardware, what fortinet does with dedicated switches and integrated switching modules on their UTM firewalls. It depends on how this is done today but this is a job for a switch (for what your customer now probably uses the fortinet, right?)

Hello,

I would suggest looking into user-id based access. I think it is a better method since it is more flexible. You can always use IP address and have the DHCP server check the mac's?

 

Just some thoughts.

L7 Applicator

Assuming Fortinet uses 802.1x controls for this you could replace that part with another vendor like Aruba and feed the associations over to the PAN device when they are created.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi all

 

Currently, I suggest customer deploy User-ID-Agent already Thank you so much, everyone  for suggest to me 

 

  • 1 accepted solution
  • 4586 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!