Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HELP: Only Registered MAC address can do Access Internet Connection

Proudmore

 Hi Sophos Community, Engineers and Architects

I do have Sophos SG 9.4* Version

How can I block unregistered Mac address having access to the internet.

It will be held on Firewall rule or it will be on Web Protection?

Thank you



This thread was automatically locked due to age.
  • 0

    First thing is to give DHCP with static mac-addresses.  Mac address rules are implementet only in firewall rules

    • 0

      Is it 1 specific MAC-address that you want to block or just any MAC-address that is not specifically specified?

      If only 1 MAC-address is to be blocked, create a static DHCP-address for it and configure this IP to not have access, if the other way around then it will be way more work in UTM, since you will have create static DHCP-entries for all other clients and make sure all these are the only ones allowed to access the internet.

      You might also be able to use your switch if you have a managed switch and enable security there (configuring that only specific MAC-addresses are allowed on each port).

      Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

      • 0 in reply to apijnappels

        Hi Sir,

        We have a DHCP Server which is Sophos, then even they have obtain an IP address from DHCP server he/she will not have an internet access.
        We must enroll first his/her Mac address into Sophos before having an internet access.

        This scenario we want to be implemented under Sophos UTM.

        How will it be done?

        • 0 in reply to Proudmore

          Like I wrote before:

          "since you will have to create static DHCP-entries for all other clients and make sure all these are the only ones allowed to access the internet"

          • Basically, make sure your DHCP scope is not too large, ie. x.y.z.150 - x.y.z.170. This is the range all "other" devices will get an IP from;
          • Configure all your defined MAC-address hosts as static DHCP clients and have them OUTSIDE the above scope (assign ie x.y.z.100 - x.y.z.120);
          • In web-filtering allow usage not for Internal (Network), but only for the custom created range with your statically configured hosts, in the above example you could use a network definition of x.y.z.0/25 then all hosts x.y.z.1 - x.y.z.126 will be able to use the webfilter whereas x.y.z.128 - x.y.z.254 will not;
          • You can use the same network definition in firewall rules if you'd like to also control other ports and protocols than web browsing.

          Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

          • 0 in reply to apijnappels

            In my example above all statically configured IP-addresses in the same range will also have access, so in stead of creating a network definition, you can create a host group definition and only include the statically configured hosts in it. A bit more work, but also more restrictive.

            Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.