MAC access control


In this example, you will add device definitions to your FortiGate using Media Access Control (MAC) addresses. These definitions are then used to determine which devices can access the wireless network.

By using a MAC address for identification, you will also be able to assign a reserved IP for exclusive use by the device when it connects to the wireless network.

Warning: Since MAC addresses can be easily spoofed, using MAC access control should not be considered a security measure.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Finding the MAC address of a device

For Windows devices:

Open the command prompt and type ipconfig /all

This output displays configuration information for all of your network connections. Look for the information about the wireless adapter and take note of the Physical Address.

For Mac OS X devices:

Open Terminal and type ifconfig en1 | grep ether.

Take note of the displayed MAC address.

For iOS devices:

Open Settings > General and take note of the Wi-Fi Address.

For Android devices:

Open Settings > More > About Device > Status and take note of the Wi-Fi MAC address.

2. Defining a device using its MAC address

Go to User & Device > Device > Device Definitions and create a new device definition.

Set MAC Address to the address of the device and set the other fields as required. In the example, a device definition is created for an iPhone with the MAC Address B0:34:95:C2:EF:D8.

The new definition will now appear in your device list.

3. Creating a device group

Go to User & Device > Device > Device Groups and create a new group.

Add the new device to the Members list.

4. Reserving an IP address for the device

Go to System > Network > Interfaces and edit the wireless interface.

Under DHCP Server, expand Advanced. Create a new entry in the MAC Reservation + Access Control list that reserves an IP address within the DHCP range for the device’s MAC address.

5. Creating a security policy for wireless traffic

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to your wireless interface, Source Device Type to the device group, and Outgoing Interface to the Internet-facing interface.

Ensure that NAT is turned on.

6. Results

Connect to the wireless network with a device that is a member of the device group. The device should be able to connect and allow Internet access.

Connection attempts from a device that is not a group member will fail.


Go to System > FortiView > All Sessions and view the results for now. Filter the results using the reserved Source IP (in the example,, to verify that it is being used exclusively by the wireless device.

For further reading, check out Managing “bring your own device” in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
The instructions below were written for the most recent OS
versions. Older versions may use different methods.
If you have enabled device identification on the wireless interface, device definitions will be created automatically. You can then use MAC addresses to identify which device a definition refers to.
If the FortiAP is in bridge mode, you will need to edit the internal interface.
  • Victoria Martin
    • Jason Chan

      config system dhcp reserved-address
      edit User1 —————————- User 1 is the computer hostname?
      set ip
      set mac 00:09:0F:30:CA:4F
      set type regular

  • David Esteban


    I’m controlling all the wireless access by MAC filtering. Now I have less than 50 devices but I plan to have more than 400. Is it possible to manage group devices and device MAC addresses using console (batch processing or similar), and/or importing any file?

    On the other hand, in MAC filtering in SSID edition, I have to select device by device, and I want to select a group of devices, as I can do in Policy & Objects > Policy > IPv4. Is it possible? Otherwise, the MAC filtering management becomes really heavy…

    I can’t find any answer in manuals (Fortinet Document Library / FortiOS Handbook.).

    Thanks a lot!


  • haroon

    how to take fortigate 30e firewall mac address

  • vignesh

    thanks a ton!!!!!!

  • Edgardo Cáceres

    Gracias !!!

  • lohith n

    This post is very much informative, we have done this process in our college, but we are facing very big problem at the moment, that is, we need to add around 3000 mac addresses, doing it manually till 100 entry is somehow manageable but afterwords, for each addition of mac address i have to scroll-up to the top, and then i should click on the create new button and then comeback to the bottom, and there i should add it, and further continuation of this process makes it worst like anything as the list goes,
    So i request you to give me a solution if possible, i heard something like, there is a way to write some kind of script for bulk addition of mac-addresses at a time, please let me know, whether any such things are possible are not,
    i am doing it as a project to my college. so i am looking for some help, i hope to get a positive reply.