IP/MAC binding

Firewall configuration

 

 

Figure 49: Adding an IP Pool

IP Pools for firewall policies that use fixed ports

Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation. However, selecting fixed port means that only one connection can be supported through the firewall for this service. To be able to support multiple connections, you can add an IP pool to the destination interface, and then select dynamic IP pool in the policy. The firewall randomly selects an IP address from the IP pool and assigns it to each connection. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool.

IP pools and dynamic NAT

You can use IP pools for dynamic NAT. For example, your organization might have purchased a range of Internet addresses but you might have only one Internet connection on the external interface of your FortiGate unit.

You can assign one of your organization’s Internet IP addresses to the external interface of the FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from your network to the Internet appear to come from this IP address.

If you want connections to originate from all your Internet IP addresses, you can add this address range to an IP pool for the external interface. Then you can select Dynamic IP Pool for all policies with the external interface as the destination. For each connection, the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. As a result, connections to the Internet appear to be originating from any of the IP addresses in the IP pool.

IP/MAC binding

IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks. IP spoofing attacks try to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different computer. The IP address of a computer is easy to change to a trusted address, but MAC addresses are added to ethernet cards at the factory and are not easy to change.

214

Fortinet Inc.

Page 214
Image 214
Fortinet FortiGate-800 IP/MAC binding, IP Pools for firewall policies that use fixed ports, IP pools and dynamic NAT, 214