Managing “Bring Your Own Device”

Device groups

You can specify multiple device types in a security policy. As an alternative, you can add multiple device types to a custom device group and include the group in the policy. This enables you to create a different policy for devices that you know than for devices in general.

To create a custom device group and add devices to it

  1. Go to User & Device > Custom Devices & Groups.

The list of device groups is displayed.

  1. Select Create New > Device Group.
  2. Enter a Name for the new device group.
  3. Click in the Members field and click a device type to add. Repeat to add other devices.
  4. Select OK.

Controlling access with a MAC Address Access Control List

Controlling access with a MAC Address Access Control List

A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server. If the interface does not use DHCP, or if you want to limit network access to a larger group such as employee devices, it is better to create a device group and specify that group in your security policies. A MAC Address ACL functions as either l a list of devices to block, allowing all other devices or a list of devices to allow, blocking all other devices.

Allowed devices are assigned an IP address. The Assign IP action assigns the device an IP address from the DHCP range. In a list of allowed devices, you can also use the Reserve IP action to always provide a specific IP address to the device.

The Unknown MAC Address entry applies to “other” unknown, unlisted devices. Its action must be opposite to that of the other entries. In an allow list, it must block. In a block list, it must allow.

To create a MAC Address ACL to allow only specific devices

  1. Go to the SSID or network interface configuration.
  2. In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
  3. In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.
  4. In the IP or Action column, select one of:

l Assign IP — device is assigned an IP address from the DHCP server address range. l Reserve IP — device is assigned the IP address that you specify.

  1. Repeat Steps “Controlling access with a MAC Address Access Control List” on page 9 and “Controlling access with a MAC Address Access Control List” on page 9 for each additional MAC address entry.
  2. Set the Unknown MAC Address entry IP or Action to Block. Devices not in the list will be blocked.
  3. Select OK.

To create a MAC Address ACL to block specific devices

  1. Go to the SSID or network interface configuration.
  2. In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
  3. In MAC Reservation + Access Control, select Create New and enter the MAC Address of a device that must be blocked.
  4. In the IP or Action column, select Block.
  5. Repeat Steps “Controlling access with a MAC Address Access Control List” on page 9 and “Controlling access with a MAC Address Access Control List” on page 9 for each device that must be blocked.
  6. Set the Unknown MAC Address entry IP or Action to Assign IP. Devices not in the list will be assigned IP addresses.
  7. Select OK.
This entry was posted in Administration Guides, FortiGate on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.