[USG Flex H] - Create Object Address based on MAC Address

Maverick87 · January 5

Hello everyone,

I've the USG Flex 200HP from some months and I've difficulty to understand the Object Address of type "Host".
I mean, if I need to create some Control Policy rule based on some "device", I need to configure the device as Static DHCP based on Mac Address, and than configure an object address based on the IP Address.

But, I think is more convenient directly create an object address based on MAC Address, so in this way, I don't need to "force" the Static DHCP entry and if the device change it's own IP Address, the device is always managed by it's own MAC Address.

PeterUK · January 5

Yes its also like NAT mapping could be MAC based meaning the IP could change but forwarded under MAC by lookup table

Zyxel_Tina · January 8

Hi all,

Thank you for your input and feedback!

The idea of using MAC addresses to identify devices makes logical sense.

However, firewall policies work at Layer 3/4 (IP-based), while MAC addresses operate only at Layer 2 and are not preserved once traffic passes through a router or firewall. For this reason, USG Flex H series devices (like all L3 firewalls) cannot reliably enforce security policies based on MAC addresses.

PeterUK · January 8

Hi Tina

This whole layer thing is really not a problem its just said to be take a L2 switch even your switches you can do L2 and L3 and ports control in ACL/Classifier how does that make it only a L2 switch? Also NAT on any router changes the MAC packets at L2 so how does that make it a L3?

And back when I had a Ubiquiti edgerouter-lite it could do control of source MAC for firewall rule control.

Maverick87 · 11:02AM

https://community.zyxel.com/en/discussion/comment/82646#Comment_82646

However you could, in any case, "translate" the MAC into the IP, you can use the DHCP list to know the IP.

[USG Flex H] - Create Object Address based on MAC Address

Active · Last Updated January 5

Comments

Categories

Security Help Center