Fortinet 400 Configuring IP/MAC binding for packets going to the firewall, Adding IP/MAC addresses

Firewall configuration IP/MAC binding

FortiGate-400 Installation and Configuration Guide 195

Configuring IP/MAC binding for packets going to the firewall

Use the following procedure to use IP/MAC binding to filter packets that would

normally connect with the firewall (for example, when an administrator is connecting to

the FortiGate unit for management).

1Go to Firewall > IP/MAC Binding > Setting.

2Select Enable IP/MAC binding going to the firewall.

3Go to Firewall > IP/MAC Binding > Static IP/MAC.

4Select New to add IP/MAC binding pairs to the IP/MAC binding list.

All packets that would normally connect to the firewall are first compared with the

entries in the IP/MAC binding table.

For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the

IP/MAC binding list:

• A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is

allowed to connect to the firewall.

• A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately

to prevent IP spoofing.

• A packet with a different IP address but with a MAC address of

12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.

• A packet with both the IP address and MAC address not defined in the IP/MAC

binding table:

• is allowed to connect to the firewall if IP/MAC binding is set to Allow traffic,

• is blocked if IP/MAC binding is set to Block traffic.

Adding IP/MAC addresses

1Go to Firewall > IP/MAC Binding > Static IP/MAC.

2Select New to add an IP address/MAC address pair.

3Enter the IP address and the MAC address.

You can bind multiple IP addresses to the same MAC address. You cannot bind

multiple MAC addresses to the same IP address.

However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This

means that all packets with these MAC addresses are matched with the IP/MAC

binding list.

Similarly, you can set the MAC address to 00:00:00:00:00:00 for multiple IP

addresses. This means that all packets with these IP addresses are matched with the

IP/MAC binding list.

4Enter a Name for the new IP/MAC address pair.

The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and

the special characters - and _. Other special characters and spaces are not allowed.

5Select Enable to enable IP/MAC binding for the IP/MAC pair.

6Select OK to save the IP/MAC binding pair.