Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

firewall ipmacbinding setting

Use this command to configure IP to MAC address binding settings. IP/MAC binding protects the FortiGate unit and/or the network from IP address spoofing attacks. IP spoofing attacks attempt to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different computer. It is simple to change a computer’s IP address to mimic that of a trusted host, but MAC addresses are often added to Ethernet cards at the factory, and are more difficult to change. By requiring that traffic from trusted hosts reflect both the IP address and MAC address known for that host, fraudulent connections are more difficult to construct.

To configure the table of IP addresses and the MAC addresses bound to them, seefirewall ipmacbinding table. To enable or disable IP/MAC binding for an individual FortiGate unit network interface, see ipmac insystem interface .

note icon If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC binding list, the new or changed hosts will not have access to or through the FortiGate unit. For details on updating the IP/MAC binding table, see firewall ipmacbinding table.
note icon If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP server.
config firewall ipmacbinding setting
    set bindthroughfw {enable | disable}   Enable/disable use of IP/MAC binding to filter packets that would normally go through the firewall.
    set bindtofw {enable | disable}   Enable/disable use of IP/MAC binding to filter packets that would normally go to the firewall.
    set undefinedhost {allow | block}   Select action to take on packets with IP/MAC addresses not in the binding list (default = block).
            allow  Allow packets from MAC addresses not in the IP/MAC list.
            block  Block packets from MAC addresses not in the IP/MAC list.
end

Additional information

The following section is for those options that require additional explanation.

undefinedhost

This option is available only when either or both bindthroughfw and bindtofw are enabled.

firewall ipmacbinding setting

Use this command to configure IP to MAC address binding settings. IP/MAC binding protects the FortiGate unit and/or the network from IP address spoofing attacks. IP spoofing attacks attempt to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different computer. It is simple to change a computer’s IP address to mimic that of a trusted host, but MAC addresses are often added to Ethernet cards at the factory, and are more difficult to change. By requiring that traffic from trusted hosts reflect both the IP address and MAC address known for that host, fraudulent connections are more difficult to construct.

To configure the table of IP addresses and the MAC addresses bound to them, seefirewall ipmacbinding table. To enable or disable IP/MAC binding for an individual FortiGate unit network interface, see ipmac insystem interface .

note icon If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC binding list, the new or changed hosts will not have access to or through the FortiGate unit. For details on updating the IP/MAC binding table, see firewall ipmacbinding table.
note icon If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP server.
config firewall ipmacbinding setting
    set bindthroughfw {enable | disable}   Enable/disable use of IP/MAC binding to filter packets that would normally go through the firewall.
    set bindtofw {enable | disable}   Enable/disable use of IP/MAC binding to filter packets that would normally go to the firewall.
    set undefinedhost {allow | block}   Select action to take on packets with IP/MAC addresses not in the binding list (default = block).
            allow  Allow packets from MAC addresses not in the IP/MAC list.
            block  Block packets from MAC addresses not in the IP/MAC list.
end

Additional information

The following section is for those options that require additional explanation.

undefinedhost

This option is available only when either or both bindthroughfw and bindtofw are enabled.