• SonicOS 7
• Zones
  • How Zones Work
  • Predefined Zones
  • Security Types
  • Allow Interface Trust
  • Enabling SonicWall Security Services on Zones
  • Effect of Wireless and Non-Wireless Controller Modes
    • Effects of Enabling Non-Wireless Controller Mode
    • Effects of Enabling Wireless Controller Mode
  • Match Objects > Zones
    • The Zone Settings Table
    • Adding a New Zone
    • Configuring a Zone for Guest Access
    • Configuring a Zone for Open Authentication and Social Login
    • Configuring a Zone for Captive Portal Authentication with RADIUS
    • Configuring a Zone for Customized Policy Message
    • Configuring a Zone for Customized Login Page
    • Configuring the WLAN Zone
    • Configuring the RADIUS Server
    • Configuring DPI-SSL Granular Control per Zone
    • Enabling Automatic Redirection to the User-Policy Page
    • Deleting a Zone
• Addresses
  • Types of Address Objects
  • About Address Groups
  • About UUIDs for Address Objects and Groups
  • Addresses Page
    • Common Features
      • Common Functions
      • Common Column Headings
    • Sorting the Entries
  • Default Address Objects and Groups
  • Default Pref64 Address Object
  • Default Rogue Address Groups
  • Adding an Address Object
  • Editing Address Objects
  • Deleting Custom Address Objects
  • Purging MAC or FQDN Address Objects
  • Creating Address Groups
  • Editing Address Groups
  • Deleting Address Groups
  • Working with Dynamic Address Objects
    • Key Features of Dynamic Address Objects
    • Enforcing the Use of Sanctioned Servers on the Network
    • Using MAC and FQDN Dynamic Address Objects
      • Blocking All Protocol Access to a Domain using FQDN DAOs
      • Using an Internal DNS Server for FQDN-based Access Rules
      • Controlling a Dynamic Host’s Network Access by MAC Address
      • Bandwidth Managing Access to an Entire Domain
• Services
  • About Default Service Objects and Groups
  • Predefined IP Protocols for Custom Service Objects
  • Adding Service Objects using Predefined Protocols
  • Adding Custom IP Type Services
    • Configuration Example
  • Editing Custom Service Objects
  • Deleting Custom Service Objects
  • Adding Custom Service Groups
  • Editing Custom Service Groups
  • Deleting Custom Service Groups
• URI Lists
  • About URIs and the URI List
  • About URI List Groups
  • About Keywords and the Keyword List
  • Matching URI List Objects
  • Using URI List Objects
  • Managing URI List Objects
    • About the URI List Objects Table
    • Configuring URI List Objects
    • Exporting a URI List Object
    • Editing a URI List Object
    • Deleting URI List Objects
  • Managing URI List Groups
    • About the URI List Groups Table
    • Adding URI List Groups
    • Editing a URI List Group
    • Deleting URI List Groups
• Match Objects
  • About Match Objects
    • About Regular Expressions
      • Regular Expression Syntax
    • About Negative Matching
  • About Application List Objects
    • About Application Filters
    • About Category Filters
  • Configuring a Match Object
  • Configuring Application List Objects
• Schedules
  • Adding a Custom Schedule
  • Modifying Schedules
  • Deleting Custom Schedules
• Dynamic Group
  • About the Dynamic External Address Group File
  • DEAG and DEAO Maximums
  • High Availability Requirements
  • Adding a Dynamic External Object
  • Editing Dynamic External Objects
  • Deleting Dynamic External Objects
• Email Addresses
  • Configuring Email Address Objects
• SonicWall Support
  • About This Document

Controlling a Dynamic Host’s Network Access by MAC Address

Since DHCP is far more common than static addressing in most networks, it is sometimes difficult to predict the IP address of dynamically configured hosts, particularly in the absence of dynamic DNS updates or reliable hostnames. In these situations, it is possible to use MAC address objects to control a host’s access by its relatively immutable MAC (hardware) address.

Like most other methods of access control, this can be employed either inclusively, for example, to deny access to/for a specific host or group of hosts, or exclusively, where only a specific host or group of hosts are granted access, and all other are denied. In this example, we will illustrate the latter.

Assuming you had a set of DHCP-enabled wireless clients running a proprietary operating system which precluded any type of user-level authentication, and that you wanted to only allow these clients to access an application-specific server (for example, 10.50.165.2) on your LAN. The WLAN segment is using WPA-PSK for security, and this set of clients should only have access to the 10.50.165.2 server, but to no other LAN resources. All other wireless clients should not be able to access the 10.50.165.2 server, but should have unrestricted access everywhere else.

Step 1 – Create the MAC Address Objects:

1. Navigate to Object > Match Objects > Addresses > Address Objects page.

2. Click Add and create the following MAC address objects (multi-homing optional, as needed).

   

3. Once created, if the hosts are present in the firewall’s ARP cache, they will be resolved immediately, otherwise they will appear in an unresolved state in the Address Objects table until they are activated and are discovered through ARP.

4. Create an address group for the handheld devices:

Step 2 – Create the Access Rules:

1. Navigate to Policy > Access Rules page.

2. Click Add and create four access rules with the settings shown in the below table.

   Sample access rules

   Setting	Access Rule 1	Access Rule 2	Access Rule 3	Access Rule 4
   Allow / Deny	Allow	Deny	Allow	Deny
   From Zone	WLAN	WLAN	WLAN	WLAN
   To Zone	LAN	LAN	LAN	LAN
   Service	MediaMoose Services	MediaMoose Services	Any	Any
   Source	Handheld Devices	Any	Handheld Devices	Any
   Destination	10.50.165.2	10.50.165.2	Any	Any
   Users allowed	All	All	All	All
   Schedule	Always on	Always on	Always on	Always on

The MediaMoose Services service is used to represent the specific application used by the handheld devices. The declaration of a specific service is optional, as needed.