Configure MAC filtering for Single Firewall SSID Interfaces

MAC filtering allows you to restrict which clients can connect to the SSID Interface based on the clients’ MAC address.

For more details about the product and how to configure features, click Help or press F1.

Steps

On the MAC Filtering tab of the SSID Interface Properties dialog box, select an option from the MAC Filtering Mode list.
Define the MAC filtering settings.
If you want to configure additional settings for the SSID Interface, continue the configuration in one of the following ways:
- Activate the internal DHCP server on the SSID Interface.
- Add an IPv4 address to the interface.
Otherwise, save the changes to the SSID Interface.
1. Click OK to close the SSID Interface Properties dialog box.
2. Click Save and Refresh.

SSID Interface Properties dialog box

Use this dialog box to configure properties for SSID interfaces.

Option	Definition
General tab
Wireless Network Name (SSID)	The name that identifies the network to the end users.
Wireless SSID Broadcast	Select one of these options: Enabled — Users can see the Wireless Network Name (SSID) in their list of available networks. Disabled — Users must manually enter the Wireless Network Name (SSID) to connect. Note: Even if you disable SSID broadcast, anyone within range can discover your wireless network with detection tools widely available on the Internet.
MAC Address Type	Select one of these options: Hardware — The MAC address of the appliance’s wireless card. Note: The first SSID Interface is automatically assigned the MAC address of the wireless card. Custom — Enter the custom MAC address in the MAC Address field.
MAC Address (Custom only)	Enter the custom MAC address.
Zone (Optional)	Select the network zone to which the interface belongs. Click Select to select an element, or click New to create an element.
Comment (Optional)	A comment for your own reference.

Option	Definition
General tab, Quality of Service and Bandwidth Management section
QoS Mode (Optional)	Defines how QoS is applied to the link on this interface. If Full QoS or DSCP Handling and Throttling is selected, a QoS policy must also be selected. If Full QoS is selected, the throughput must also be defined. If the interface is a Physical Interface, the same QoS mode is automatically applied to any VLANs created under it.
QoS Policy (DSCP Handling and Throttling and Full QoS modes only)	The QoS policy for the link on this interface. If the interface is a Physical Interface, the same QoS policy is automatically selected for any VLANs created under it. Note: If a Virtual Resource has a throughput limit defined, the interfaces on the Virtual NGFW Engine that use a QoS policy all use the same policy. The policy used in the first interface is used for all the interfaces.
Interface Throughput Limit (Full QoS mode only)	Enter the throughput for the link on this interface as megabits per second. If the interface is a Physical Interface, the same throughput is automatically applied to any VLANs created under it. The throughput is for uplink speed (outgoing traffic) and typically must correspond to the speed of an Internet link (such as an ADSL line), or the combined speeds of several such links when connected to a single interface. CAUTION: Make sure that you set the interface speed correctly. When the bandwidth is set, the NGFW Engine always scales the total amount of traffic on this interface to the bandwidth you defined. This scaling happens even if there are no bandwidth limits or guarantees defined for any traffic. CAUTION: The throughput for a Physical Interface for a Virtual NGFW Engine must not be higher than the throughput for the Master NGFW Engine interface that hosts the Virtual NGFW Engine. Contact the administrator of the Master NGFW Engine before changing this setting.

Option	Definition
Security tab
	Disabled — Wireless traffic is not encrypted. Anyone within range can freely use and intercept traffic from this wireless network. We do not recommend using this setting. WEP Open System — After the clients have connected to the Firewall, the wireless traffic is encrypted with a 40-bit or 104-bit WEP (Wired Equivalent Privacy/Wireless Encryption Protocol) key. We do not recommend this security mode. If you must use WEP for compatibility reasons, use WEP Shared Key. Note: Some wireless clients do not support the 802.11n wireless mode with the WEP security mode. WEP Shared Key — The connecting clients are authenticated using WEP (Wired Equivalent Privacy/ Wireless Encryption Protocol). The wireless traffic is encrypted with a 40-bit or 104-bit key. We do not recommend this security mode unless you must use WEP for compatibility reasons. Note: Some wireless clients do not support the 802.11n wireless mode with the WEP security mode. WPA Personal — Wireless traffic is encrypted using the WPA or WPA2 protocol. Three encryption modes are available: TKIP (Temporal Key Integrity Protocol), AES Advanced Encryption Standard), or both TKIP and AES. WPA Enterprise — Same as WPA Personal, but RADIUS-based authentication methods provided by an external authentication server are used to authenticate the users. This option is the most secure, and it is recommended if external RADIUS authentication is available.
Key Length (WEP Open System, WEP Shared Key only)	Select the encryption key length for WEP.
Default Key (WEP Open System, WEP Shared Key only)	Select the encryption key to use by default for WEP.
Key (WEP Open System, WEP Shared Key only)	Enter 1–4 decryption keys for WEP.
WPA Mode (WPA Personal, WPA Enterprise only)	Select the encryption mode to use for WPA.
Pre-Shared Key (WPA Personal only)	Enter the pre-shared key for WPA Personal.
Authentication Method (WPA Enterprise only)	Click Select to select the authentication method for WPA Enterprise.
Hide (WEP Open System, WEP Shared Key, WPA Personal only)	Prevents the password or key from being shown as plain text. Deselect this option to show the password. Selected by default.

Option	Definition
MAC Filtering tab
MAC Filtering Mode	Select one of these options: Disabled — Connecting clients are not filtered based on their MAC addresses. Accept Unless in Denied MAC List — Clients whose MAC addresses are on the list of denied MAC addresses cannot connect. Deny Unless in Allowed MAC List — Only clients whose MAC addresses are on the list of allowed MAC addresses can connect. Click Add to add a row to the table, or Remove to remove the selected row.

Option

Definition

MAC Filtering tab

MAC Filtering Mode

Select one of these options:

Disabled — Connecting clients are not filtered based on their MAC addresses.
Accept Unless in Denied MAC List — Clients whose MAC addresses are on the list of denied MAC addresses cannot connect.
Deny Unless in Allowed MAC List — Only clients whose MAC addresses are on the list of allowed MAC addresses can connect.

Click Add to add a row to the table, or Remove to remove the selected row.

Option	Definition
DHCP tab
DHCP Mode	Select the DHCP mode: Disabled — DHCP relay is disabled. DHCP Relay — Enables DHCP relay on the interface. DHCP Server — Activates the integrated DHCP server on the interface.

Option	Definition
DHCP tab, DHCP Relay settings (If DHCP Mode is DHCP Relay)
Resources	Select from the available DHCP servers.
Search	Opens a search field for the selected element list.
Up	Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools	New — Creates an element of the specified type. Show Deleted Elements — Shows elements that have been moved to the Trash.
Add	Adds the DHCP server to the interface.
Remove	Removes the DHCP server from the interface.
Max Packet Size	Adjusts the maximum allowed packet size.
DHCP Relay	Select the CVI or IP address you want to use for DHCP relay.

Option	Definition
DHCP tab, DHCP Server settings (If DHCP Mode is DHCP Server)
DHCP Address range	Defines the DHCP address range that the Firewall assigns to clients in one of the following ways: Select — Allows you to select an address range element. Address — Allows you to enter a single IP address or an IP address range. On Firewall Clusters, the DHCP address range is automatically divided between the nodes. Note: The DHCP address range must be in the same network space defined for the Physical Interface. The DHCP address range must not contain the Firewall's NDI or CVI addresses or broadcast IP addresses of networks behind the Firewall.
Primary DNS Server	Enter the primary DNS server IP address that clients use to resolve domain names. If there is a listening IP address for DNS Relay on the same interface, clients use the DNS services provided by the firewall by default. If you want clients to use a different external DNS server, enter the IP address of the external DNS server.
Secondary DNS Server	Enter the secondary DNS server IP address that clients use to resolve domain names.
Primary WINS Server	Enter the primary WINS server IP address that clients use to resolve NetBIOS computer names.
Secondary WINS Server	Enter the secondary WINS server IP address that clients use to resolve NetBIOS computer names.
Default Gateway	Enter the IP address through which traffic from clients is routed.
Default Lease Time	Enter the time after which IP addresses assigned to clients must be renewed.
Domain Name Search List (Optional)	Enter a comma-separated Domain Name Search List to configure DNS search suffixes.

Option	Definition
Advanced tab
Override Engine's Default Settings	When selected, the default settings of the engine are overridden.
SYN Rate Limits	Default — The interface uses the SYN rate limits defined for the engine on the Advanced Settings branch of the Engine Editor. None — Disables SYN rate limits on the interface. Automatic — This is the recommended mode if you want to override the general SYN rate limits defined for the engine on the Advanced Settings branch of the Engine Editor. The engine calculates the number of allowed SYN packets per second and the burst size (the number of allowed SYNs before the engine starts limiting the SYN rate) based on the engine’s capacity and memory size. Custom — Enter the values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second	Defines the number of allowed SYN packets per second.
Burst Size	Defines the maximum number of matching entries in a single burst. Tip: We recommend that you set the burst size to be at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, set the value for Burst Size to at least 1000.
Enable Log Compression	Allows you to define the maximum number of separately logged entries. For each event type, Antispoofing or Discard, you can define: Log Rate (Entries/s) — The maximum number of entries per second. The default value for antispoofing entries is 100 entries/s. By default, Discard log entries are not compressed. Burst Size (Entries) — The maximum number of matching entries in a single burst. The default value for antispoofing entries is 1000 entries. By default, Discard log entries are not compressed.
Set to Default	Returns all changes to the log compression settings to the default settings.
Send IPv6 Router Advertisements	Select and specify what configuration information is offered in the Router Advertisement messages to devices that connect to the same network as the firewall.
Managed address configuration	When selected, the router advertisement messages that the Firewall sends instruct the hosts to use the DHCPv6 protocol to acquire IP addresses and other configuration information.
Other configuration	When selected, the router advertisement messages that the Firewall sends instruct the hosts to acquire the IPv6 prefix and the default route information from the router advertisement messages, and to use the DHCPv6 protocol to acquire other configuration information (such as DNS server addresses).