In this article I will show you how to block any computer using the internet on Fortigate Firewall. This article provides a procedure to block any Mac address using a device access list.
Configure the Ports of WAN and LAN
Go to "Network" > "Interfaces", click "Port1"
MAC address filtering is more secure and more reliable than IP address filtering because the MAC address does not change.
Port 1 is connected to the Internet (WAN), Port 2 is connected to the Internal network (LAN).
Alias : lan
Role : LAN
IP/Netmask : 10.0.0.1/24
select the checkbox "PING"
Client uses dynamic ip, so we configure more DHCP Scope to grant Client.
Enable DHCP Server
Address range : 10.0.0.2-10.0.0.254
Click "OK" button to save your settings.
Configure default route static routes
Go to "Static Routers", click "Create New" button.
Set the Destination IP or Mask to 0.0.0.0/0.0.0.0
Gateway is the ip address of the ISP's router : 192.168.1.1
The Device to the Internet-facing interface : wan1(port1)
Next, you make a list of computers that are allowed to use the internet.
Go to "Dashboard" > "Network" > "DHCP". Remember this MAC addresses.
Go to "Policy and Objects" then select "Addresses" and select "Create New" then choose "Address".
You add the MAC addresses of computers that are allowed to use the internet here. The MAC address is the MAC address you remember above.
You create a list of computers that will be blocked from using the internet. You add the Mac addresses of computers that are not allowed to use the internet here.
Create a policy that allows computers to access the internet
Go to "policy and objects" then "firewall policy" and select "create new".
Give a name for policy : Allow-internet.
Set the Incoming Interface to the lan interface and the Outgoing Interface to the Internet-facing interface.
Set Source as the list of computers that are allowed to use the internet you just created.
Set Destination Address, Schedule, and Services is ALL.
Make sure the Action is set to ACCEPT.
Turn on NAT and make sure Use Outgoing Interface Address is selected
Once the setup is done and you check the results.
You can now browse the internet using any whitelisted computer.
So how do you want to block computers that do not use the internet? You follow the next steps.
Create a policy that does not allow computers to access the internet
Given name for policy.
Set the Incoming Interface to the lan interface and the Outgoing Interface to the Internet-facing interface.
Set Source as the list of computers that are not allowed to use the internet that you just created.
Set Destination Address, Schedule, and Services is ALL.
Make sure the Action is set to DENY.
Once the setup is done and you check the results. Now you can't browse the internet using any blacklisted computers.
In the next part I will practice adding a new computer to the whitelist or disallow list. I hope this article help you to block the internet of computers on Fortigate Firewall.
Facebook: https://www.facebook.com/routerbest
Twitter: https://twitter.com/routerbestcom
