Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msanjaypadma
Staff
Staff

Created on ‎11-24-2021 02:25 PM Edited on ‎11-24-2021 02:31 PM By Anonymous

Article Id 199502

Techincal Tip : Configure IP to MAC binding settings.

Description This article discusses how to configure IP to MAC binding settings on FortiGate device.
Scope FortiOS v6.0 and later.
Solution

IP/MAC binding protects the FortiGate unit and/or the network from IP address spoofing attacks. IP spoofing attacks attempt to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different computer. It is simple to change a computer’s IP address to mimic that of a trusted host, but MAC addresses are often added to Ethernet cards at the factory, and are more difficult to change. By requiring that traffic from trusted hosts reflect both the IP address and MAC address known for that host, fraudulent connections are more difficult to construct.

1). To configure the table of IP addresses and the MAC addresses bound to them first try configuring firewall ipmacbinding table

Configuration:
#config firewall ipmacbinding table

edit {seq-num}  ---> Sequence number for IP to MAC address pairs in the IP/MAC binding table.

set ip {ipv4 address} ---> IPv4 address portion of the pair (format: xxx.xxx.xxx.xxx), source user system ip address
set mac {mac address} ---> MAC address portion of the pair (format: xx:xx:xx:xx:xx:xx in hexidecimal), source mac address.
set name {string} ---> Name of the pair (optional, default = no name). size[35]
set status {enable | disable} ---> Enable/disable this IP-mac binding pair.

next

end

 

example : 

#config firewall ipmacbinding table

edit 1

set ip 172.31.139.62
set mac 00:74:61:55:1f:44
set name "User1"
set status enable

next

end

 

2). Need to configure the IP/MAC binding settings.

Configuration:
#config firewall ipmacbinding setting

set bindthroughfw [enable|disable] --->Enable/disable use of IP/MAC binding to filter packets that would normally go through the firewall.
set bindtofw [enable|disable] ---> Enable/disable use of IP/MAC binding to filter packets that would normally go to the firewall.
set undefinedhost [allow|block] ---> Select action to take on packets with IP/MAC addresses not in the binding list (default = block).

end


example : 
#config firewall ipmacbinding setting

set bindthroughfw enable

end

 

3). Enable ipmac on incoming interface  i.e. LAN/DMZ[trusted interface]
#config system interface

edit "port2"

set vdom "root"
set ip 172.31.139.61 255.255.240.0
set allowaccess ping https ssh http telnet
set ipmac enable---> ipmac enabled/disabled
set type physical
set snmp-index 2

next

end

 

Verification : 

FGT1# diagnose firewall ipmac list
List firewall IP/MAC address pairs:
ip=172.31.139.62 mac=00:74:61:55:1f:44 act=01 flag=00

FGT1 # diagnose firewall ipmac status
ipmac status: enable=2, default_act=0, count=1

 
3752
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.