Checkpoint Firewall: How to configure Policy with Mac Filtering on Checkpoint Firewall.


MAC Filtering lets you manage a whitelist of MAC addresses that can access the LAN.


  • MAC filtering is not supported on external interfaces and over switches between physical LAN ports (port-based VLANs). If you configure a physical switch between multiple LAN ports, you cannot activate MAC filtering on this network. Replace the switch with a bridge configuration.
  • To disable MAC filtering for a bridged LAN interface, you must reboot.
  • Traffic from a remote encryption domain is not MAC filtered.
  • Broadcast traffic such as ARP and DHCP is not blocked.
  • To configure MAC filtering for a DMZ interface, you must use CLI. You cannot configure MAC filtering in the WebUI.

This article will guide you how to configure policy with mac filtering to block users from accessing the internet.


Step 1: Add LAN Mac Filter

On the administrative interface of Checkpoint Firewall > Device > Network > Mac Filtering.

First you Turn ON “Allow LAN access only to the following client”.

Under LAN MAC Filter, click Add.

You enter a MAC address of any computer on the LAN. Then click Apply.

Click Yes.

After you have added the first MAC, you will not need to add each MAC of each computer on the network to the LAN MAC Filter. Checkpoint will help you detect the MACs of the computers in the network system and you just need to select the MACs you want to add to the Mac Filtering table.

Right-click the first MAC address and select Add > Select.

Here will appear a table of MAC addresses of devices in the network system, select only the MACs you need and click Apply.

Step 2: Create Policy with MAC Filtering.

Scroll down to Access Policy > Firewall > Policy > Outgoing access to the Internet > New.

We will create a Rule that block the Desktop-F8C0KAD device (this is a device taken directly from Mac Filtering) from accessing the Internet.

Source: select device Desktop-F8C0KAD.

Destination: select Internet.

Action: Block.

You can also block this device from accessing the web/application in the Application/Service section.

Click Apply.

Step 3: Check the results.

The device could not ping so it was blocked from accessing the internet as configured.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.