Firewall configuration

IP/MAC binding

 

 

If you want connections to originate from all your Internet IP addresses, you can add this address range to an IP pool for the external interface. Then you can select Dynamic IP Pool for all policies with the external interface as the destination. For each connection, the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. As a result, connections to the Internet appear to be originating from any of the IP addresses in the IP pool.

IP/MAC binding

IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks. IP spoofing attacks try to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different computer. The IP address of a computer is easy to change to a trusted address, but MAC addresses are added to ethernet cards at the factory and are not easy to change.

You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the static IP/MAC table.

If you have trusted computers with dynamic IP addresses that are set by the FortiGate DHCP server, the FortiGate unit adds these IP addresses and their corresponding MAC addresses to the dynamic IP/MAC table. For information about viewing the table, see “Viewing a DHCP server dynamic IP list” on page 107. The dynamic IP/MAC binding table is not available in Transparent mode.

You can enable IP/MAC binding for packets in sessions connecting to the firewall or passing through the firewall.

Note: If you enable IP/MAC binding and change the IP address of a computer with an IP or MAC address in the IP/MAC list, you must also change the entry in the IP/MAC list or the computer does not have access to or through the FortiGate unit. You must also add the IP/MAC address pair of any new computer that you add to your network or the new computer does not have access to or through the FortiGate unit.

This section describes:

Configuring IP/MAC binding for packets going through the firewall

Configuring IP/MAC binding for packets going to the firewall

Adding IP/MAC addresses

Viewing the dynamic IP/MAC list

Enabling IP/MAC binding

Configuring IP/MAC binding for packets going through the firewall

Use the following procedure to use IP/MAC binding to filter packets that a firewall policy would normally allow through the firewall.

To configure IP/MAC binding for packets going through the firewall

1Go to Firewall > IP/MAC Binding > Setting.

2Select the Enable IP/MAC binding going through the firewall check box.

3Go to Firewall > IP/MAC Binding > Static IP/MAC.

FortiGate-50A Installation and Configuration Guide

163

Page 162 Page 164
Page 163
Image 163
Fortinet 50A user manual IP/MAC binding, 163, Go to Firewall IP/MAC Binding Static IP/MAC
Page 162 Page 164
Top Page Image Contents