FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 196155
Description
In normal operation, FortiGate firewalls offer network control, packet filtering, based on elements such as source and destination IP addresses.  This is done using Firewall policies.

A FortiGate firewall can be configured to restrict access by workstation MAC address.  When binding and IP address to a specific MAC address a higher level of control and reporting can be obtained.  This allows for greater security as a trusted address that may have been spoofed will be verified against a MAC address to ensure permissions.

This procedure will only help when devices being restricted reside on the same network segment as a FortiGate interface.   When routers are involved, source MAC addresses will be overridden and this check will no longer apply.

The following is a brief description on how this can be done.
Scope
MAC / IP Binding / Filtering
Solution
The feature used in this procedure is called  IP/MAC binding.  Using CLI, an Administrator may configure manual binding table and configure which MAC address corresponds to which IP address.

This is only recommended in small to medium networks.  Extra caution is required to implement in large networks.  As mentioned earlier, if any routing takes place before sending traffic to a FortiGate the issue of source MAC address being replaced with that of a router is a real concern.

Note:  If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, it is necessary to update the IP/MAC table.  If this is not done, the new or changed hosts will not have access to or through the FortiGate unit depending on the settings configured.

Caution:  If a client receives an IP address from the FortiGate unit DHCP server, the client's MAC address is automatically registered in the IP/MAC binding table.  This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server.  Use caution when enabling and providing access to the DHCP server.

Syntax:
config firewall ipmacbinding setting
set bindthroughfw {enable | disable}  - this is enabling IPMAC binding to get through a Firewall.
set bindtofw {enable | disable}  - this will check an IP MAC binding combination to allow access TO the firewall
set undefinedhost {allow | block} - this defines how the Firewall will treat traffic that has not been bound
end
Syntax:
config firewall ipmacbinding table
edit <index_int> - the number in the IP/MAC binding table
set ip <address_ipv4> - IP address value
set mac <address_hex>  - MAC address value
set name <name_str> - the name which may be used for this binding
set status {enable | disable} - is the binding now enabled
end

Syntax:

config system interface
edit <interface name>
set ipmac {enable | disable }   - enable to enable mac binding on interface
next
end
 
Refer to the CLI guide for more information regarding this feature.