MAC Sticky Ports on FortiSwitch

I have a customer that is using point-of-sale devices that are connected via wired Ethernet connections.  One of the counter-measures to protect from devices such as Plunder Bug (active mode) and LAN Turtle Is ensure only allowed MAC address are connected to that port.  We wanted to ensure that no one can plug a device into the PoS devices.  Ideally, FortiNAC or NAC-Lite features using 802.1x Is recommended, but this is a quick and easy way to reduce risk.

If you are managing the FortiSwitch via the FortiGate, you can enable sticky port on the switch port.  You will need to go into the CLI for this.  You can also do this on the non-fortilink switches but I will not cover that here.

config switch-controller managed switch

once there, you will need to pick your managed FortiSwitch.  A good way of seeing them is to type edit ? which will list the serial numbers and names of your switches.

Lets get into the switch configuration by typing edit %switch-name% and enter.

Next type config ports which will take you to the port configuration section.

Now choose the port you want to configure port14 as an example.  Note: that there is no space between port and the port number.

Now you will define the limit of MAC addresses it will learn.  Note: Remember that if you have an IP phone plugged in that uses LLDP (although true with CDP), you will have the following scenario:

• Phone boots up on native VLAN and will register a MAC address on that VLAN.
• Phone will reconfigure to the VLAN ID given by the switch port or LLDP profile and acquire an IP with the same MAC address but on the voice-vlan you defined.
• Then the device behind the IP phone, (normally a PC) will connect to the native VLAN.

Obviously, this is 3 MAC addresses.

To configure the limit, type the following:

set learning-limit x  on the port you are configuring it on (where X is the number of MAC addresses you want to allow)

Next, you want to enable the sticky port on the switch port

set sticky-mac enabled

Once you have finished configuring the various ports, you will need to save the MAC addresses so they are persistent after reboot.

execute switch-controller switch-action sticky-mac save interface %switch-serial% port%

You can also use the all  in the above command replacing interface and leaving the port command out and it will save the MAC addresses for all configured ports on that switch

To delete a sticky MAC address from a port

execute switch-controller switch-action sticky-mac delete-unsaved interface %switch-serial% port%

NOTE:  If you are using a USB type dongle as a NIC, you are going to be at risk from someone disconnecting the dongle from the PoS device and connecting to their device which will maintain the MAC address of the USB Dongle.  In this case, 802.1x with certificates is preferred.  Consider looking at FortiNAC or NAC-Lite.

Hope this helps.