All packets that would normally be matched with policies to be able to go through the firewall are first compared with the entries in the IP/MAC binding list. If a match is found, then the firewall attempts to match the packet with a policy.
For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list:
•A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy.
•A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.
•A packet with a different IP address but with a MAC address of 12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.
•A packet with both the IP address and MAC address not defined in the IP/MAC binding table:
•is allowed to go on to be matched with a firewall policy if IP/MAC binding is set to Allow traffic,
•is blocked if IP/MAC binding is set to Block traffic.
Configuring IP/MAC binding for packets going to the firewall
Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the firewall (for example when an administrator is connecting to the
•Go to Firewall > IP/MAC Binding > Setting .
•Select Enable IP/MAC binding going to the firewall.
•Go to Firewall > IP/MAC Binding > Static IP/MAC .
•Select New to add IP/MAC binding pairs to the IP/MAC binding list.
All packets normally allowed to connect to the firewall are compared with the entries in the IP/MAC binding table. If a match is found in the IP/MAC binding table:
•If IP/MAC binding is set to Allow traffic, then IP/MAC binding allows the packet to connect to the firewall.
•If IP/MAC binding is set to Block traffic, then IP/MAC binding stops the packet from connecting to the firewall.
Adding IP/MAC addresses
•Go to Firewall > IP/MAC Binding > Static IP/MAC .
•Select New to add an IP address/MAC address pair.
•Enter the IP address and the MAC address.
You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address.
However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all packets with these MAC addresses are matched with the IP/MAC binding list.
Similarly, you can set the MAC address to 00:00:00:00:00:00 for multiple IP addresses. This means that all packets with these IP addresses are matched with the IP/MAC binding list.
•Enter a Name for the new IP/MAC address pair.
The name can contain numbers
•Select Enable to enable IP/MAC binding for the IP/MAC pair.
•Select OK to save the IP/MAC binding pair.
41 | |
|