IP/MAC binding

Firewall configuration

 

 

You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the Static IP/MAC table.

IP/MAC binding can be enabled for packets connecting to the firewall or passing through the firewall.

Note: If you enable IP/MAC binding and change the IP address of a computer with an IP or MAC address in the IP/MAC list, you must also change the entry in the IP/MAC list or the computer will not have access to or through the FortiGate unit. You must also add the IP/MAC address pair of any new computer that you add to your network or this computer will not have access to or through the FortiGate unit.

This section describes:

Configuring IP/MAC binding for packets going through the firewall

Configuring IP/MAC binding for packets going to the firewall

Adding IP/MAC addresses

Viewing the dynamic IP/MAC list

Enabling IP/MAC binding

Configuring IP/MAC binding for packets going through the firewall

Use the following procedure to use IP/MAC binding to filter packets that would normally be allowed through the firewall by a firewall policy.

1Go to Firewall > IP/MAC Binding > Setting.

2Select Enable IP/MAC binding going through the firewall.

3Go to Firewall > IP/MAC Binding > Static IP/MAC.

4Select New to add IP/MAC binding pairs to the IP/MAC binding list.

All packets that would normally be allowed through the firewall by a firewall policy are first compared with the entries in the IP/MAC binding list. If a match is found, then the firewall attempts to match the packet with a policy.

For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list:

A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy.

A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.

A packet with a different IP address but with a MAC address of 12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.

A packet with both the IP address and MAC address not defined in the IP/MAC binding table:

is allowed to go on to be matched with a firewall policy if IP/MAC binding is set to Allow traffic,

is blocked if IP/MAC binding is set to Block traffic.

194

Fortinet Inc.

Page 193 Page 195
Page 194
Image 194
Fortinet 400 manual 194, Go to Firewall IP/MAC Binding Setting, Go to Firewall IP/MAC Binding Static IP/MAC
Page 193 Page 195
Top Page Image Contents