This article describes how to configure IP/MAC Binding to avoid IP Spoofing in the network environment.

The IP address of a computer can be easily changed to imitate the trusted host however, the MAC address is integrated into a Network Card in a host machine and mostly, it is impossible to alter/change it.

Demanding the traffic to go 'To & Through' the Firewall by reflecting both the IP address & MAC Address of the host, intrusions of unknown connections are restricted easily.

Firewall IPMACbinding Setting.

config firewall ipmacbinding setting
    set bindthroughfw (enable/disable) <----- Enable/disable the use of IP/MAC binding to filter packets that would normally go through the firewall.
    set bindtofw (enable/disable) <----- Enable/disable the use of IP/MAC binding to filter packets that would normally go to the firewall.
    set undefinedhost (allow/block) <----- Select action to take on packets with IP/MAC addresses not in the binding list (default = block).
end

Firewall IPMACbinding Table.

config firewall ipmacbinding table <----- Add IP to MAC address pairs of the Trusted Hosts on the network.
    edit (seq-num) <----- Entry number range [0-4294967295].
        set ip <----- IPv4 address.
        set mac (mac address) <----- Format: xx:xx:xx:xx:xx:xx in alpha-numeric).
        set name (string) <----- Name of the pair (optional, default = no name), size[35].
        set status (enable/disable) <----- Enable/disable this IP-mac binding pair.
    next
end

Enable IPMAC on Interface - Very Important to make this IPMAC Binding work.

config system interface

    edit <Interface number> <----- Interface where the local machines are connected for which the IPMAC binding to be enabled.
        set ipmac enable
end

Verification : 

FGT1# diagnose firewall ipmac list
List firewall IP/MAC address pairs:
ip=192.168.6.10 mac=00:0c:29:ba:6f:c6 act=01 flag=00

FGT1 # diagnose firewall ipmac status
ipmac status: enable=2, default_act=0, count=1

Additional information:

• With IP/MAC binding in place, if the IP address of a host that is already added to the IPMAC Table is changed, or any new host is added to the network, it is necessary to update the IP/MAC table accordingly. If missed to update, a host with a new IP or a new host that is added will not have access To or Through the Firewall. 

• With 'set ipmac enable' set on the interface, host machines' MAC addresses would be automatically added to the IPMAC Binding Table if the host is supplied with an IP Address from the FortiGate unit's DHCP server. While this simplifies IPMAC binding configuration, it can compromise the protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server. It is necessary to be cautious while enabling the DHCP Server on FortiGate.

• 'undefinedhost' option will be available only when either or both 'bindthroughfw' and 'bindtofw' is enabled.

• 'ip': To allow packets with the MAC address, regardless of the IP address, the IP address can be set to 0.0.0.0.

• 'mac': To allow packets with the IP address, regardless of the MAC address, the MAC address can be set to 00:00:00:00:00:00.