Don't know if this is specific to v9.301-2 but I have encountered a serious flaw in how UTM inconsistently handles MAC address nomenclature.
In network definitions I have defined several MAC addresses for iDevices using FaceTime and grouped them. I use this group to allow them because they were hammering my logs.
I noticed all of them work fine except for one iDevice and here is my theory on why...
In the firewall log it truncates IPV4 MAC addresses similar to how IPV6 addresses are done, where any leading zeros are dropped.
When I defined the users iDevice MAC address I included the zero thinking it would be smart enough to match. It isn't.
So I thought, no problem, I'll just drop the 0 in my definition to match semantics, but it WONT LET ME! (flashes red and says "The MAC address list object may not be empty"). So this is handy, Sophos is allowed to abbreviate be we are NOT allowed, how about we get on the same page here?
Before you begin telling me I've done something wrong, remember that this is one of a group of MAC addresses in one rule, and all of the others ARE filtering. The only difference is this iDevice has a leading zero in one of the pairs of hex.
For you visual people (me)...
My Definition -> A1:B2:C3:08:E5:F6
In the FW log -> A1:B2:C3:8:E5:F6
So I guess I will just ask employees to kindly not purchase any iDevice which has leading 0 in the MAC address.
This thread was automatically locked due to age.
