By Manny Fernandez

January 18, 2026

MAC Sticky Ports on FortiSwitch

I have a customer that is using point-of-sale devices that are connected via wired Ethernet connections.  One of the counter-measures to protect from devices such as Plunder Bug (active mode) and LAN Turtle Is ensure only allowed MAC address are connected to that port.  We wanted to ensure that no one can plug a device into the PoS devices.  Ideally, FortiNAC or NAC-Lite features using 802.1x Is recommended, but this is a quick and easy way to reduce risk.

If you are managing the FortiSwitch via the FortiGate, you can enable sticky port on the switch port.  You will need to go into the CLI for this.  You can also do this on the non-fortilink switches but I will not cover that here.

config switch-controller managed switch

once there, you will need to pick your managed FortiSwitch.  A good way of seeing them is to type edit ? which will list the serial numbers and names of your switches.

Lets get into the switch configuration by typing edit %switch-name% and enter.

Next type config ports which will take you to the port configuration section.

Now choose the port you want to configure port14 as an example.  Note: that there is no space between port and the port number.

Now you will define the limit of MAC addresses it will learn.  Note: Remember that if you have an IP phone plugged in that uses LLDP (although true with CDP), you will have the following scenario:

  • Phone boots up on native VLAN and will register a MAC address on that VLAN.
  • Phone will reconfigure to the VLAN ID given by the switch port or LLDP profile and acquire an IP with the same MAC address but on the voice-vlan you defined.
  • Then the device behind the IP phone, (normally a PC) will connect to the native VLAN.

Obviously, this is 3 MAC addresses.

To configure the limit, type the following:

set learning-limit x  on the port you are configuring it on (where X is the number of MAC addresses you want to allow)

Next, you want to enable the sticky port on the switch port

set sticky-mac enabled

Once you have finished configuring the various ports, you will need to save the MAC addresses so they are persistent after reboot.

execute switch-controller switch-action sticky-mac save interface %switch-serial% port%

You can also use the all  in the above command replacing interface and leaving the port command out and it will save the MAC addresses for all configured ports on that switch

To delete a sticky MAC address from a port

execute switch-controller switch-action sticky-mac delete-unsaved interface %switch-serial% port%

NOTE:  If you are using a USB type dongle as a NIC, you are going to be at risk from someone disconnecting the dongle from the PoS device and connecting to their device which will maintain the MAC address of the USB Dongle.  In this case, 802.1x with certificates is preferred.  Consider looking at FortiNAC or NAC-Lite.

Hope this helps.

 

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • 1. High-Level Overview The FortiGate Wireless Intrusion Detection System... Full Story

  • What MIMO Actually Does Multiple Input, Multiple Output (MIMO)... Full Story

  • A practitioner's tour of the diagnose, test, and fnsysctl... Full Story