Adding IP/MAC addresses, 216 | Fortinet FortiGate-800 instruction

IP/MAC binding	Firewall configuration

For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the

IP/MAC binding list:

•A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy.

•A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.

•A packet with a different IP address but with a MAC address of 12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.

•A packet with both the IP address and MAC address not defined in the IP/MAC binding table:

•is allowed to go on to be matched with a firewall policy if IP/MAC binding is set to Allow traffic,

•is blocked if IP/MAC binding is set to Block traffic.

Configuring IP/MAC binding for packets going to the firewall

Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the firewall (for example, when an administrator is connecting to the FortiGate unit for management).

To configure IP/MAC binding for packets going to the firewall

1Go to Firewall > IP/MAC Binding > Setting.

2Select the Enable IP/MAC binding going to the firewall check box.

3Go to Firewall > IP/MAC Binding > Static IP/MAC.

4Select New to add IP/MAC binding pairs to the IP/MAC binding list.

All packets that would normally connect to the firewall are first compared with the entries in the IP/MAC binding table.

For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list:

•A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to connect to the firewall.

•A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.

•A packet with a different IP address but with a MAC address of 12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.

•A packet with both the IP address and MAC address not defined in the IP/MAC binding table:

•is allowed to connect to the firewall if IP/MAC binding is set to Allow traffic,

•is blocked if IP/MAC binding is set to Block traffic.

Adding IP/MAC addresses

To add an IP/MAC address

1Go to Firewall > IP/MAC Binding > Static IP/MAC.

2Select New to add an IP address/MAC address pair.

216	Fortinet Inc.

Fortinet FortiGate-800 manual Adding IP/MAC addresses, 216

Models: FortiGate-800

3Go to Firewall > IP/MAC Binding > Static IP/MAC.

Adding IP/MAC addresses

1Go to Firewall > IP/MAC Binding > Static IP/MAC.

216