Fortinet 100 user manual IP/MAC binding, 166, Go to Firewall IP/MAC Binding Setting

IP/MAC binding

IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks. IP spoofing attempts to use the IP address of a trusted computer to connect to or through the FortiGate unit from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to Ethernet cards at the factory and cannot easily be changed.

You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the Static IP/MAC table.

If you have trusted computers with dynamic IP addresses that are set by the FortiGate DHCP server, the FortiGate unit adds these IP addresses and their corresponding MAC addresses to the Dynamic IP/MAC table. See “Providing DHCP services to your internal network” on page 119. The dynamic IP/MAC binding table is not available in Transparent mode.

IP/MAC binding can be enabled for packets connecting to the firewall or passing through the firewall.

Note: If you enable IP/MAC binding and change the IP address of a computer with an IP or MAC address in the IP/MAC list, you must also change the entry in the IP/MAC list or the computer will not have access to or through the FortiGate unit. You must also add the IP/MAC address pair of any new computer that you add to your network or this computer will not have access to or through the FortiGate unit.

This section describes:

•Configuring IP/MAC binding for packets going through the firewall

•Configuring IP/MAC binding for packets going to the firewall

•Adding IP/MAC addresses

•Viewing the dynamic IP/MAC list

•Enabling IP/MAC binding

Configuring IP/MAC binding for packets going through the firewall

Use the following procedure to use IP/MAC binding to filter packets that would normally be allowed through the firewall by a firewall policy.

1Go to Firewall > IP/MAC Binding > Setting.

2Select Enable IP/MAC binding going through the firewall.

3Go to Firewall > IP/MAC Binding > Static IP/MAC.

4Select New to add IP/MAC binding pairs to the IP/MAC binding list.

All packets that would normally be allowed through the firewall by a firewall policy are first compared with the entries in the IP/MAC binding list. If a match is found, then the firewall attempts to match the packet with a policy.