beautypg.com

Fortinet FortiGate-800 User Manual

Page 215

background image

Firewall configuration

IP/MAC binding

FortiGate-800 Installation and Configuration Guide

215

You can enter the static IP addresses and corresponding MAC addresses of trusted
computers in the static IP/MAC table.

If you have trusted computers with dynamic IP addresses that are set by the FortiGate
DHCP server, the FortiGate unit adds these IP addresses and their corresponding
MAC addresses to the dynamic IP/MAC table. For information about viewing the table,
see

“Viewing a DHCP server dynamic IP list” on page 160

. The dynamic IP/MAC

binding table is not available in Transparent mode.

You can enable IP/MAC binding for packets in sessions connecting to the firewall or
passing through the firewall.

This section describes:

Configuring IP/MAC binding for packets going through the firewall

Configuring IP/MAC binding for packets going to the firewall

Adding IP/MAC addresses

Viewing the dynamic IP/MAC list

Enabling IP/MAC binding

Configuring IP/MAC binding for packets going through the firewall

Use the following procedure to use IP/MAC binding to filter packets that a firewall
policy would normally allow through the firewall.

To configure IP/MAC binding for packets going through the firewall

1

Go to Firewall > IP/MAC Binding > Setting.

2

Select the Enable IP/MAC binding going through the firewall check box.

3

Go to Firewall > IP/MAC Binding > Static IP/MAC.

4

Select New to add IP/MAC binding pairs to the IP/MAC binding list.

All packets that would normally be allowed through the firewall by a firewall policy are
first compared with the entries in the IP/MAC binding list. If a match is found, then the
firewall attempts to match the packet with a policy.

Note: If you enable IP/MAC binding and change the IP address of a computer with an IP or
MAC address in the IP/MAC list, you must also change the entry in the IP/MAC list or the
computer does not have access to or through the FortiGate unit. You must also add the IP/MAC
address pair of any new computer that you add to your network or the new computer does not
have access to or through the FortiGate unit.