firewall : ipmacbinding setting
 
ipmacbinding setting
Use this command to configure IP to MAC address binding settings.
IP/MAC binding protects the FortiGate unit and/or the network from IP address spoofing attacks. IP spoofing attacks attempt to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different computer. It is simple to change a computer’s IP address to mimic that of a trusted host, but MAC addresses are often added to Ethernet cards at the factory, and are more difficult to change. By requiring that traffic from trusted hosts reflect both the IP address and MAC address known for that host, fraudulent connections are more difficult to construct.
To configure the table of IP addresses and the MAC addresses bound to them, see “ipmacbinding table”. To enable or disable IP/MAC binding for an individual FortiGate unit network interface, see ipmac in system interface.
 
If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC binding list, the new or changed hosts will not have access to or through the FortiGate unit. For details on updating the IP/MAC binding table, see “ipmacbinding table”.
 
If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP server.
Syntax
config firewall ipmacbinding setting
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end
 
Variable
Description
Default
bindthroughfw
{enable | disable}
Select to use IP/MAC binding to filter packets that a firewall policy would normally allow through the FortiGate unit.
disable
bindtofw
{enable | disable}
Select to use IP/MAC binding to filter packets that would normally connect to the FortiGate unit.
disable
undefinedhost
{allow | block}
Select how IP/MAC binding handles packets with IP and MAC addresses that are not defined in the IP/MAC list for traffic going through or to the FortiGate unit.
allow: Allow packets with IP and MAC address pairs that are not in the IP/MAC binding list.
block: Block packets with IP and MAC address pairs that are not in the IP/MAC binding list.
This option is available only when either or both bindthroughfw and bindtofw are enable.
block