DHCP MAC Address Filtering on Sophos SG (UTM 9)

March 8, 2018

On the Sophos platform, one of the missing features is the lack of MAC filters on their DHCP server. To give an idea, here is the feature as implemented on Windows Server DHCP



Sophos does do MAC filtering, but only on a web protection/hotspot level. Any device or computer connected to the network via cable will be issued an IP address, including rogue or unauthorized devices. Short of implementing ACLs on the switch level, or 802.1x Network access control, DHCP MAC filtering is a solution that provides a level of protection on your LAN.


How do we block the access to obtain an IP address if using the SG firewall as a DHCP server? Here's my implementation of this feature. Unfortunately I have yet to figure out how to implement it on the newer XG firewall.


1.  Assign an additional address to the internal interface. Make sure you will not be using this address range in future.


2. Create an new DHCP server on this additional address. Check the advanced box "Clients with static mappings only"


3. Create a new firewall rule blocking access to this interface network 

 4. Create a new host definition with the necessary DHCP settings and MAC addresses, specifying the DHCP server you have just created.


The end result: Client is unable to obtain DHCP address





Please reload

Featured Posts

Firewall to Azure Site to Site VPN

April 16, 2019

Please reload

Recent Posts
Please reload

Please reload

Search By Tags
Please reload

Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

 © 2020 by IT Re-engineering Pte Ltd | Privacy Policy   Terms of Use