06-13-2018 01:48 AM
Hi expert ,
I would like to know about suggest mac-control because my customer use Fortinet which use device control and I will replace and migrate to Palo-alto if that possible about control this thing .
Thank you
06-13-2018 08:51 AM
Hi @Pattarachai
The short answer is: no this cannot be done the same way as on the fortinet. As already mentionned by @BPry there are other ways to achieve kind of the same with paloalto, but the main difference because this is not possible is that paloalto does not produce switching hardware, what fortinet does with dedicated switches and integrated switching modules on their UTM firewalls. It depends on how this is done today but this is a job for a switch (for what your customer now probably uses the fortinet, right?)
06-13-2018 06:21 AM
Like they're using mac-control to hand out IPs to their network on the Fortinet? It's been a while since I worked on anything Fortinet but I thought that this was on the Fortigate and it was specific to the wireless side of things, but that could have changed.
Generally this is something that you would configure on the LAN via your switches; I'm not sure why someone would have ever configured this to work directly on the firewall unless this is a very small office. Regardless it's something that you can do on the firewall as long as the firewall is handing out the IP addresses, but there's a better way of doing this. Since the firewall can do user identification you can easily run GlobalProtect within the LAN and simply not allow any communication if the ip in question doesn't have an active user-mapping.
If the customer is dead set on controlling things via a mac address then set it up correctly and do it on their switches, don't do it on the firewall. If you implement something like this on the firewall there isn't anything stopping someone from wreaking havic across a local switch, because they never have to go through the firewall to do so.
06-13-2018 08:51 AM
Hi @Pattarachai
The short answer is: no this cannot be done the same way as on the fortinet. As already mentionned by @BPry there are other ways to achieve kind of the same with paloalto, but the main difference because this is not possible is that paloalto does not produce switching hardware, what fortinet does with dedicated switches and integrated switching modules on their UTM firewalls. It depends on how this is done today but this is a job for a switch (for what your customer now probably uses the fortinet, right?)
06-15-2018 07:22 AM
Hello,
I would suggest looking into user-id based access. I think it is a better method since it is more flexible. You can always use IP address and have the DHCP server check the mac's?
Just some thoughts.
06-16-2018 07:54 AM
Assuming Fortinet uses 802.1x controls for this you could replace that part with another vendor like Aruba and feed the associations over to the PAN device when they are created.
06-19-2018 07:34 PM
Hi all
Currently, I suggest customer deploy User-ID-Agent already Thank you so much, everyone for suggest to me
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
