Blocking by MAC Address

Hello!

Is there a way to block a MAC address in the WatchGuard without needing to add all "Trusted" MACs to the Trusted list (See here: https://watchguard.com/help/docs/help-center/envUS/Content/en-US/Fireware/networksetup/restrict_by_mac_c.html?Highlight=mac%20address

I feel there should be a way to change modes in the list to be "This list wil allow OR Block Traffic" if anything just like the subscription services.

If this isn't a feature already is there a feature request for it?

Thank you!

~T

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Tristan_Colo
    Your link is broken -- do you mean this?
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/restrict_by_mac_c.html

    For hardware network interfaces, this is only configurable as a whitelist. I wouldn't really suggest enabling this, as MACs are easily spoof-able on modern computers.

    If you're looking to block a specific MAC address without doing all of this, I'd suggest making a DHCP reservation for it, and using a policy to deny traffic from that IP.

    -James Carson
    WatchGuard Customer Support

  • > @James_Carson said:
    > Hi @Tristan_Colo
    > Your link is broken -- do you mean this?
    > https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/restrict_by_mac_c.html
    >
    > For hardware network interfaces, this is only configurable as a whitelist. I wouldn't really suggest enabling this, as MACs are easily spoof-able on modern computers.
    >
    > If you're looking to block a specific MAC address without doing all of this, I'd suggest making a DHCP reservation for it, and using a policy to deny traffic from that IP.


    My bad for the bad link.... but your solution only works if the WatchGuard is the DHCP server.... in most cases in our client environments WatchGuard does not provide the DHCP setup.
  • Setting up a DHCP reservation and then blocking the IP addr provided by that DHCP reservation will work no matter what device is providing the DHCP reservations.

  • edited December 2020

    @Bruce_Briggs said:
    Setting up a DHCP reservation and then blocking the IP addr provided by that DHCP reservation will work no matter what device is providing the DHCP reservations.

    Yes but what if we are wanting to whitelist a MAC regardless of IP? IE To prevent the need of reprogramming a DHCP Lease?

    Sonicwall appears to have this capability.... it is surprising that WatchGuard has yet to do this.

    What if we want to blacklist a MAC Address? DHCP Leasing a untrusted device seems like it would lead to trouble...

  • "DHCP Leasing a untrusted device seems like it would lead to trouble..."
    How?

  • edited December 2020

    @Bruce_Briggs said:
    "DHCP Leasing a untrusted device seems like it would lead to trouble..."
    How?

    Because then that device gets an IP in a DHCP Pool... which to me is a problem especially if we have to make a bunch of block rules just for one IP or Alias full of Private IPs (as most DHCP networks are Trusted inherently so I'd have to make sure nothing could talk to it and vice versa)...

    It is a whole lot simpler if I can just give the firewall a MAC address to block from the get-go and not even let it get to the Layer 3 piece of getting an IP.

  • We are telling you of your options with this brand of firewall.
    If features of this firewall does not meet your needs, choose another which does.
    You can request changes to the current features, but there is no guarantee that they will ever be implemented or if they are, in any particular time frame.

Sign In to comment.