[USG Flex H] - Create Object Address based on MAC Address

Maverick87

Hello everyone,

I've the USG Flex 200HP from some months and I've difficulty to understand the Object Address of type "Host".
I mean, if I need to create some Control Policy rule based on some "device", I need to configure the device as Static DHCP based on Mac Address, and than configure an object address based on the IP Address.

But, I think is more convenient directly create an object address based on MAC Address, so in this way, I don't need to "force" the Static DHCP entry and if the device change it's own IP Address, the device is always managed by it's own MAC Address.

PeterUK

Yes its also like NAT mapping could be MAC based meaning the IP could change but forwarded under MAC by lookup table

Zyxel_Tina

Hi all,

Thank you for your input and feedback!

The idea of using MAC addresses to identify devices makes logical sense.

However, firewall policies work at Layer 3/4 (IP-based), while MAC addresses operate only at Layer 2 and are not preserved once traffic passes through a router or firewall. For this reason, USG Flex H series devices (like all L3 firewalls) cannot reliably enforce security policies based on MAC addresses.

PeterUK

Hi Tina

This whole layer thing is really not a problem its just said to be take a L2 switch even your switches you can do L2 and L3 and ports control in ACL/Classifier how does that make it only a L2 switch? Also NAT on any router changes the MAC packets at L2 so how does that make it a L3?

And back when I had a Ubiquiti edgerouter-lite it could do control of source MAC for firewall rule control.