Manuals / Fortinet / Computer Equipment / Network Card

Fortinet FortiGate-800 manual Adding IP/MAC addresses, 216

Models: FortiGate-800

1 336
Download 336 pages 18.65 Kb
Page 216
Image 216

IP/MAC binding

Firewall configuration

 

 

For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the

IP/MAC binding list:

A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy.

A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.

A packet with a different IP address but with a MAC address of 12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.

A packet with both the IP address and MAC address not defined in the IP/MAC binding table:

is allowed to go on to be matched with a firewall policy if IP/MAC binding is set to Allow traffic,

is blocked if IP/MAC binding is set to Block traffic.

Configuring IP/MAC binding for packets going to the firewall

Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the firewall (for example, when an administrator is connecting to the FortiGate unit for management).

To configure IP/MAC binding for packets going to the firewall

1Go to Firewall > IP/MAC Binding > Setting.

2Select the Enable IP/MAC binding going to the firewall check box.

3Go to Firewall > IP/MAC Binding > Static IP/MAC.

4Select New to add IP/MAC binding pairs to the IP/MAC binding list.

All packets that would normally connect to the firewall are first compared with the entries in the IP/MAC binding table.

For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list:

A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to connect to the firewall.

A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.

A packet with a different IP address but with a MAC address of 12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.

A packet with both the IP address and MAC address not defined in the IP/MAC binding table:

is allowed to connect to the firewall if IP/MAC binding is set to Allow traffic,

is blocked if IP/MAC binding is set to Block traffic.

Adding IP/MAC addresses

To add an IP/MAC address

1Go to Firewall > IP/MAC Binding > Static IP/MAC.

2Select New to add an IP address/MAC address pair.

216

Fortinet Inc.

Page 215 Page 217
Page 216
Image 216
Fortinet FortiGate-800 manual Adding IP/MAC addresses, 216
Page 215 Page 217