FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 214328

This article describes how to configure IP/MAC Binding to avoid IP Spoofing on the network environment.

IP address of a computer can be easily changed to imitate the trusted host however, MAC address is integrated to Network Card in a host machine and mostly, it is impossible to alter/change it.


Demanding the traffic to go 'To & Through' the Firewall by reflecting both IP address & MAC Address of the host, intrusions of unknown connections are restricted easily.

Scope Prevent IP Spoofing - The intention of this feature is to authorize access only to those known systems from which the traffic passes To & Through Firewall.

Firewall IPMACbinding Setting.


# config firewall ipmacbinding setting
       set bindthroughfw (enable/disable) <----- Enable/disable use of IP/MAC binding to filter packets that would normally go through the firewall.
       set bindtofw (enable/disable) <----- Enable/disable use of IP/MAC binding to filter packets that would normally go to the firewall.
       set undefinedhost (allow/block) <----- Select action to take on packets with IP/MAC addresses not in the binding list (default = block).


Firewall IPMACbinding Table.


# config firewall ipmacbinding table <----- Add IP to MAC address pairs of the Trusted Hosts on the network
    edit (seq-num) <----- Entry number. range[0-4294967295].
        set ip <----- IPv4 addres.
        set mac (mac address) <----- Format: xx:xx:xx:xx:xx:xx in alpha-numeric).
        set name (string) <----- Name of the pair (optional, default = no name). size[35].
        set status (enable/disable) <----- Enable/disable this IP-mac binding pair.


Enable IPMAC on Interface - Very Important to make this IPMAC Binding to work.


# config system interface

    edit <Interface number> <----- Interface where the local machines are connected for which the IPMAC binding to be enabled
        set ipmac enable


 Additional information:


- With IP/MAC binding in place, if the IP address of a host that is already added in the IPMAC Table is changed, or any new host is added in the network, it is necessary to update the IP/MAC table accordingly.

If missed to update, host with new IP or a new host that is added will not have access To or Through the Firewall. 


- Host machines MAC address would be automatically added in the IPMAC Binding Table if this host is supplied with IP Address from FortiGate unit's DHCP server. While this simplifies IPMAC binding configuration, it can compromise the protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server.

Need to be cautious while enabling DHCP Server on FortiGate .


- 'undefinedhost' option will be available only when either or both 'bindthroughfw' and 'bindtofw' are enabled.


-ip - To allow packets with the MAC address, regardless of the IP address, the IP address can be set to


- mac - To allow packets with the IP address, regardless of the MAC address, the MAC address can be set to 00:00:00:00:00:00.