beautypg.com

Ip pools and dynamic nat, Ip/mac binding – Fortinet FortiGate-800 User Manual

Page 214

background image

214

Fortinet Inc.

IP/MAC binding

Firewall configuration

Figure 49: Adding an IP Pool

IP Pools for firewall policies that use fixed ports

Some network configurations do not operate correctly if a NAT policy translates the
source port of packets used by the connection. NAT translates source ports to keep
track of connections for a particular service. You can select fixed port for NAT policies
to prevent source port translation. However, selecting fixed port means that only one
connection can be supported through the firewall for this service. To be able to support
multiple connections, you can add an IP pool to the destination interface, and then
select dynamic IP pool in the policy. The firewall randomly selects an IP address from
the IP pool and assigns it to each connection. In this case the number of connections
that the firewall can support is limited by the number of IP addresses in the IP pool.

IP pools and dynamic NAT

You can use IP pools for dynamic NAT. For example, your organization might have
purchased a range of Internet addresses but you might have only one Internet
connection on the external interface of your FortiGate unit.

You can assign one of your organization’s Internet IP addresses to the external
interface of the FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all
connections from your network to the Internet appear to come from this IP address.

If you want connections to originate from all your Internet IP addresses, you can add
this address range to an IP pool for the external interface. Then you can select
Dynamic IP Pool for all policies with the external interface as the destination. For each
connection, the firewall dynamically selects an IP address from the IP pool to be the
source address for the connection. As a result, connections to the Internet appear to
be originating from any of the IP addresses in the IP pool.

IP/MAC binding

IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks.
IP spoofing attacks try to use the IP address of a trusted computer to connect to, or
through, the FortiGate unit from a different computer. The IP address of a computer is
easy to change to a trusted address, but MAC addresses are added to ethernet cards
at the factory and are not easy to change.