Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kgeorge
Staff
Staff

Created on ‎06-10-2022 04:47 AM

Article Id 214328

Technical Tip: IPMAC Binding

Description

This article describes how to configure IP/MAC Binding to avoid IP Spoofing on the network environment.

IP address of a computer can be easily changed to imitate the trusted host however, MAC address is integrated to Network Card in a host machine and mostly, it is impossible to alter/change it.

 

Demanding the traffic to go 'To & Through' the Firewall by reflecting both IP address & MAC Address of the host, intrusions of unknown connections are restricted easily.
Scope Prevent IP Spoofing - The intention of this feature is to authorize access only to those known systems from which the traffic passes To & Through Firewall.
Solution

Firewall IPMACbinding Setting.

 

# config firewall ipmacbinding setting
       set bindthroughfw (enable/disable) <----- Enable/disable use of IP/MAC binding to filter packets that would normally go through the firewall.
       set bindtofw (enable/disable) <----- Enable/disable use of IP/MAC binding to filter packets that would normally go to the firewall.
       set undefinedhost (allow/block) <----- Select action to take on packets with IP/MAC addresses not in the binding list (default = block).
end

 

Firewall IPMACbinding Table.

 

# config firewall ipmacbinding table <----- Add IP to MAC address pairs of the Trusted Hosts on the network
    edit (seq-num) <----- Entry number. range[0-4294967295].
        set ip <----- IPv4 addres.
        set mac (mac address) <----- Format: xx:xx:xx:xx:xx:xx in alpha-numeric).
        set name (string) <----- Name of the pair (optional, default = no name). size[35].
        set status (enable/disable) <----- Enable/disable this IP-mac binding pair.
    next
end

 

Enable IPMAC on Interface - Very Important to make this IPMAC Binding to work.

 

# config system interface

    edit <Interface number> <----- Interface where the local machines are connected for which the IPMAC binding to be enabled
        set ipmac enable
    end

  

 Additional information:

 

- With IP/MAC binding in place, if the IP address of a host that is already added in the IPMAC Table is changed, or any new host is added in the network, it is necessary to update the IP/MAC table accordingly.

If missed to update, host with new IP or a new host that is added will not have access To or Through the Firewall. 

 

- Host machines MAC address would be automatically added in the IPMAC Binding Table if this host is supplied with IP Address from FortiGate unit's DHCP server. While this simplifies IPMAC binding configuration, it can compromise the protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server.

Need to be cautious while enabling DHCP Server on FortiGate .

 

- 'undefinedhost' option will be available only when either or both 'bindthroughfw' and 'bindtofw' are enabled.

 

-ip - To allow packets with the MAC address, regardless of the IP address, the IP address can be set to 0.0.0.0.

 

- mac - To allow packets with the IP address, regardless of the MAC address, the MAC address can be set to 00:00:00:00:00:00.
6382
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.