On the Sophos platform, one of the missing features is the lack of MAC filters on their DHCP server. To give an idea, here is the feature as implemented on Windows Server DHCP
Sophos does do MAC filtering, but only on a web protection/hotspot level. Any device or computer connected to the network via cable will be issued an IP address, including rogue or unauthorized devices. Short of implementing ACLs on the switch level, or 802.1x Network access control, DHCP MAC filtering is a solution that provides a level of protection on your LAN.
How do we block the access to obtain an IP address if using the SG firewall as a DHCP server? Here's my implementation of this feature. Unfortunately I have yet to figure out how to implement it on the newer XG firewall.
1. Assign an additional address to the internal interface. Make sure you will not be using this address range in future.
2. Create an new DHCP server on this additional address. Check the advanced box "Clients with static mappings only"
3. Create a new firewall rule blocking access to this interface network
4. Create a new host definition with the necessary DHCP settings and MAC addresses, specifying the DHCP server you have just created.
The end result: Client is unable to obtain DHCP address