This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple Locations MAC-Filtering

Hi all,

hopefully a simple question: Can you centralize the host-lists when using only static mac-mappings for dhcp leases in multiple locations?

Basically I set up the DHCP in a testlab to prevent connections of private/unwanted devices.
To do so I am using the option "Clients with static mappings only" within the DHCP server settings on a SG115.
Working fine.

Now we have the simple "problem" that some users are traveling a lot and need DHCP-leases in a random office.
A little exaggerated and simplified but pretty close to the truth.

So I am looking for a simple solution that I need to implement a change only one time and copy/push/pull them to the other firewalls or similar.
Otherwise we would have to take care of more than a dozen sites with regular changes.
That would be only a matter of time until something goes wrong even if it is only a mistyped MAC-address.

Is there anything like that?
I guess the answer is "no" but it doesn't hurt to ask :)

Further information:
All sites will be connected by site2site IPSEC tunnels.
RED tunnels are no viable option.



This thread was automatically locked due to age.
Parents
  • You COULD sync host definitions with a SUM, but that would also include the network part of the IP-addresses that will hopefully vary from site to site.

    Only way to solve that would be using the same network range in all sites and working with NAT for the IPSEC tunnels.

    I would prefer copying the mac addresses to a new host rather than doing the NAT thing. ;-)

    Maybe there is a way in using the Restful API to change a host object on all UTMs based on it‘s mac address or name, but I never did anything with that.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Meh, I hoped for an automatic process :)

    I case of copying: Can you export/import all the static mappings?
    Only found something for mac-address lists so far but nothing for mapping.

    That would at least reduce the chance of mistyped MAC-adresses.

  • Hallo isard,

    If I understand what you want to accomplish, I think I would do this differently.  Instead of using DHCP with static mappings, put a MAC Address List named "Local Devices" in each site and use that to limit the "Allow" firewall rules to just the MACs in the MAC Address List.  Then, you can have identical rules everywhere.  To prevent use of Proxies (see #2 in Rulz), use some method of authentication and block unauthenticated access.  Will that do what you want?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Maybe. I am not sure.
    I will test this and report back.

    Thanks for your input!

Reply Children
No Data