IP/MAC binding protects the FortiGate and/or the network from IP address spoofing attacks. IP spoofing attacks attempt to use the IP address of a trusted computer to connect to, or through, the FortiGate from a different computer.

It is simple to change a computer’s IP address to mimic that of a trusted host, but MAC addresses are often added to Ethernet cards at the factory and are more difficult to change.

By requiring that traffic from trusted hosts reflect both the IP address and MAC address known for that host, fraudulent connections are more difficult to construct.

When an internal DHCP server is behind a FortiGate firewall, it is responsible for assigning IP addresses to devices on the network.

To ensure that specific devices always receive the same IP address, reservations must be configured on the DHCP server based on the device's MAC address. This prevents other devices from using these reserved IP addresses and ensures that only authorized devices can access the Internet.

Since FortiGate is not acting as the DHCP server in this setup, it does not handle IP addresses to MAC binding assignments directly.

Alternatively, IP/MAC binding can be implemented at the interface level on FortiGate, if FortiGate is acting as DHCP server.

1. To configure the table of IP addresses and the MAC addresses bound to them first try configuring the firewall ipmacbinding table

Configuration:

config firewall ipmacbinding table

edit {seq-num}  ---> Sequence number for IP to MAC address pairs in the IP/MAC binding table.

set ip {ipv4 address} ---> IPv4 address portion of the pair (format: xxx.xxx.xxx.xxx), source user system ip address
set mac {mac address} ---> MAC address portion of the pair (format: xx:xx:xx:xx:xx:xx in hexidecimal), source mac address.
set name {string} ---> Name of the pair (optional, default = no name). size[35]
set status {enable | disable} ---> Enable/disable this IP-mac binding pair.

next

end

Example : 

config firewall ipmacbinding table

edit 1

set ip 172.31.139.62
set mac 00:74:61:55:1f:44
set name "User1"
set status enable

next

end

2. Configure the IP/MAC binding settings.
   
   

Configuration:

config firewall ipmacbinding setting

set bindthroughfw [enable|disable] --->Enable/disable use of IP/MAC binding to filter packets that would normally go through the firewall.
set bindtofw [enable|disable] ---> Enable/disable use of IP/MAC binding to filter packets that would normally go to the firewall.
set undefinedhost [allow|block] ---> Select action to take on packets with IP/MAC addresses not in the binding list (default = block).

end

Example:

config firewall ipmacbinding setting

set bindthroughfw enable

end

3. Enable ipmac on incoming interface  i.e. LAN/DMZ[trusted interface]:

config system interface

edit "port2"

set vdom "root"
set ip 172.31.139.61 255.255.240.0
set allowaccess ping https ssh http telnet
set ipmac enable---> ipmac enabled/disabled
set type physical
set snmp-index 2

next

end

Verification:

FGT1# diagnose firewall ipmac list
List firewall IP/MAC address pairs:
ip=172.31.139.62 mac=00:74:61:55:1f:44 act=01 flag=00

FGT1 # diagnose firewall ipmac status
ipmac status: enable=2, default_act=0, count=1

Note:

• Make sure to update the entry in the binding table accordingly in the event of an IP address change. If the host with the new IP is not updated in the table, traffic going to or through the FortiGate can be denied.
  
  
• With 'set ipmac enable' et on the interface with DHCP enabled, the host machines' MAC address would be automatically added to the IPMAC Binding Table if the IP is leased from DHCP. While this simplifies IPMAC binding configuration, it can compromise the protection offered by IP/MAC binding if untrusted hosts can access the DHCP server. It is necessary to be cautious while enabling the DHCP Server on FortiGate.