IPMAC Binding in Fortigate Device

IPMAC binding in Fortigate Device :

DescriptionIn normal operation, FortiGate firewalls offer network control, packet filtering, based on elements such as source and destination IP addresses. This is done using Firewall policies.

A FortiGate firewall can be configured to restrict access by workstation MAC address. When binding and IP address to a specific MAC address a higher level of control and reporting can be obtained. This allows for greater security as a trusted address that may have been spoofed will be verified against a MAC address to ensure permissions.

This procedure will only help when devices being restricted reside on the same network segment as a FortiGate interface. When routers are involved, source MAC addresses will be overridden and this check will no longer apply.

The following is a brief description on how this can be done. ScopeMAC / IP Binding / Filtering SolutionThe feature used in this procedure is called IP/MAC binding. Using CLI, an Administrator may configure manual binding table and configure which MAC address corresponds to which IP address.

This is only recommended in small to medium networks. Extra caution is required to implement in large networks. As mentioned earlier, if any routing takes place before sending traffic to a FortiGate the issue of source MAC address being replaced with that of a router is a real concern.

Note: If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, it is necessary to update the IP/MAC table. If this is not done, the new or changed hosts will not have access to or through the FortiGate unit depending on the settings configured.

Caution: If a client receives an IP address from the FortiGate unit DHCP server, the client's MAC address is automatically registered in the IP/MAC binding table.

This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server.

Use caution when enabling and providing access to the DHCP server. Syntax: config firewall ipmacbinding setting set bindthroughfw {enable | disable} - this is enabling IPMAC binding to get through a Firewall. set bindtofw {enable | disable} - this will check an IP MAC binding combination to allow access TO the firewall set undefinedhost {allow | block} - this defines how the Firewall will treat traffic that has not been bound end

Syntax: config firewall ipmacbinding table edit - the number in the IP/MAC binding table set ip - IP address value set mac - MAC address value (separare by colon) set name - the name which may be used for this binding set status {enable | disable} - is the binding now enabled end edit - the number in the IP/MAC binding table set ip - IP address value set mac - MAC address value set name - the name which may be used for this binding set status {enable | disable} - is the binding now enabled end

Syntax: config system interface edit ->edit internal for LAn port set ipmac {enable | disable } - enable to enable mac binding on interface next end

How to Disable ipmac in the internal interface

Soln: config system interface

edit internal

unset ipmac

How to show ipmac table?

Soln: config firewall ipmacbinding table show Above part is totally configured in your FG.If you want to entry new mac/ip in your fg device then follow below steps.

config firewall ipmacbinding table edit - the number in the IP/MAC binding table set ip - IP address value set mac - MAC address value (separare by colon) set name - the name which may be used for this binding set status enable - is the binding now enabled end