Whitelist an external MAC address

Firebox M370 FW 12.8.2 WSM 12.9

We're working with a 3rd party company that is helping us get FTC compliant with the new Car Dealership regulations.
As part of that we were given a device that does PEN testing and Vulnerability Assessments on our network.

To make that work correctly I was asked to Whitelist the MAC address of their 'attack node' server.
How do I go about whitelisting an external MAC address?

Comments

  • You can't.
    You can set up a Blocked Sites Exception for an IP addr.

  • Thanks Bruce!
    I couldn't see any way of doing it but I had to make sure and ask.

    I have multiple VLANs they need to test and I have one that just won't run to completion.
    My logs don't show any failed / denied connections and their suggestion was the whitelisted MAC.
    I'm going to compare my logs of the failed tests to a completed test to see if anything stands out.

    Thanks again!

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @bford
    I'd suggest asking them for clarification. If they're asking you to specifically whitelist a MAC address for a device that's not on the same subnet as your device or your upstream ISP's device, it's not actually possible to do that on any gear, WatchGuard or no.

    In TCP/IP, MAC addresses are used to talk to local devices on the same network. If your network is 10.0.0.0/24 (for example) a computer with the IP 10.0.0.100 would talk to 10.0.0.101 via an ARP (to get the device's MAC address) and then directly to each other that way.

    Your firebox similarly talks to your upstream ISP device that way. It ARPs to get the MAC of the default gateway IP, and sends traffic to that device.

    For external inbound connections, the only MAC address you will see is that ISP device directly upstream of you.

    I would suggest whitelisting by FQDN (via blocked sites exceptions) if they are willing to provide a FQDN for you to use. If not, you can also use an IP address.

    If they insist on "whitelisting an external MAC address" that is not specifically your upstream ISP device's MAC, they don't know what they're talking about.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Additionally, prior to any scanning, I would suggest upgrading your firewall to the latest version of Fireware. (At the time I posted this, latest version for that device is 12.10.3.) There's a number of security fixes since 12.8.2 that will likely get picked up by whatever scanning service you're using.

    -James Carson
    WatchGuard Customer Support

  • @james.carson
    Thank you for your responses, I appreciate the insights.

Sign In to comment.