Description |
This article describes how to configure IP/MAC Binding to avoid IP Spoofing on the network environment. IP address of a computer can be easily changed to imitate the trusted host however, MAC address is integrated to Network Card in a host machine and mostly, it is impossible to alter/change it.
Demanding the traffic to go 'To & Through' the Firewall by reflecting both IP address & MAC Address of the host, intrusions of unknown connections are restricted easily. |
Scope | Prevent IP Spoofing - The intention of this feature is to authorize access only to those known systems from which the traffic passes To & Through Firewall. |
Solution |
Firewall IPMACbinding Setting.
# config firewall ipmacbinding setting
Firewall IPMACbinding Table.
# config firewall ipmacbinding table <----- Add IP to MAC address pairs of the Trusted Hosts on the network
Enable IPMAC on Interface - Very Important to make this IPMAC Binding to work.
# config system interface edit <Interface number> <----- Interface where the local machines are connected for which the IPMAC binding to be enabled
Additional information:
- With IP/MAC binding in place, if the IP address of a host that is already added in the IPMAC Table is changed, or any new host is added in the network, it is necessary to update the IP/MAC table accordingly. If missed to update, host with new IP or a new host that is added will not have access To or Through the Firewall.
- Host machines MAC address would be automatically added in the IPMAC Binding Table if this host is supplied with IP Address from FortiGate unit's DHCP server. While this simplifies IPMAC binding configuration, it can compromise the protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server. Need to be cautious while enabling DHCP Server on FortiGate .
- 'undefinedhost' option will be available only when either or both 'bindthroughfw' and 'bindtofw' are enabled.
-ip - To allow packets with the MAC address, regardless of the IP address, the IP address can be set to 0.0.0.0.
- mac - To allow packets with the IP address, regardless of the MAC address, the MAC address can be set to 00:00:00:00:00:00. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.