Flight Tower (Fortinet) firewall configuration-bind MAC address (interface-based)

　IP/MAC Binding Requirements

The MAC address and IP address binding, can prevent IP address spoofing network attack, IP spoofing attack attempts to use a trusted computer's IP address from different computers to connect and through the firewall, IP address can be easily changed, but the MAC address is in the factory production is added to the Ethernet card, it is difficult to change, A trusted host can avoid fraudulent connections by registering both the IP and MAC addresses.

The tower firewall has two ways of binding the MAC address, one is based on the interface, this needs to be configured with the command line, and the other is based on DHCP, which can be done on the Web page.

Ip/mac Binding Interface

To Ip/mac binding to work, you first need to open the binding function under the specified interface.

① first look at the interface condition of the firewall, here is the default internal hardware switching interface;

② using Show system interface internal in command mode to view the status of the internal interface, by default there is no configuration for Mac bindings;

③ Edit Internal interface, turn on the MAC address binding function;

④ again view the Internal interface, one more Ipmac state.

Ip/mac Binding Table

Then you need to add the MAC address and the corresponding IP to the table. The complete command format is as follows:

　　

"Index_int" Enter a unique ID number for each pair of IP/MAC bindings

IP input is bound to the IP address on the MAC address

"Mac" input MAC address

"Name" Enter a name for this entry for the Ip/mac Address table (optional)

"Status" Select whether to enable this Ip/mac address

① Use the Config Firewall impacbinding table command to configure the IP and MAC addresses to correspond to the IP/MAC binding table. You can bind multiple IP addresses to the same MAC address, but you cannot bind multiple MAC addresses to the same IP address.

　

② here, respectively, using the direct-attached firewall of the wired network card MAC address and wireless connection to the wireless network card MAC address;

③ Use the Config Firewall ipmacbinding table command to add the MAC address and the bound IP to the table;

④ Use the Show Firewall ipmacbinding table command to view the contents of the table.

　Ip/mac Binding Settings

In addition to opening the interface binding feature and establishing a binding table, you need to set the binding parameters. The complete command format is as follows:

　　

"BINDTHROUGHFW" allows the bound IP to penetrate the firewall

"BINDTOFW" allows binding IP to reach the firewall

"Undefinedhost" is not bound to block all

① uses the config firewall impacbinding setting command to set the IP access capability.

② the status of the default BINDTHROUGHFW and BINDOTOFW are disable, the Undefinedhost parameter is not displayed, and the BINDTHROUGHFW parameter is displayed when the setting Undefinedhost is enabled. BINDTHROUGHFW is enable, which means that only IP that is bound to the MAC address can access the extranet.

③ Click on the Firewall Menu "Policies & Objects"-"objects"-"address", a new number of addresses to add Ip/mac bound IP address;

④ new Address Group;


⑤ the IP address of the bound MAC address is added;


⑥ Modify the Internet policy, add the address group at the source address, only the IP address group can access the Internet;

　Ip/mac Binding effect Test

After the above configuration is completed, because the policy only allows the specified IP can be internet, so the cable network card MAC address and IP address consistent, wired network card Internet is no problem, if the network card is modified IP, policy will block the Internet, so we need to use a device without a binding MAC address test.

① a non-binding MAC address of the network card IP to the firewall policy allowed to pass the IP address;

② access to the extranet was found to still fail. This means that although the firewall policy allows 10.0.1.88 this IP address to pass, but the IP/MAC binding table does not meet the criteria, still not allowed to pass.

　MAC address bindings for wireless routers

In front of the test, also bound the MAC address of the wireless card, but the wireless network card can not access the Internet.

Because the wireless network card is connected to the wireless router, the wireless router and firewall connection between the IP address is 10.0.1.254, because the MAC binding does not join the router's MAC address and IP address, so the entire wireless router will not be able to surf the Internet.

In the binding table to add the wireless router's MAC address and IP address, found that the wireless network card can be online, with other wireless network card testing, also can be online, that the MAC address binding cannot manage the address after the wireless router.

　Cancel Mac Bindings

In the management of the network, sometimes need to temporarily cancel the binding of a computer, this need to modify the Mac binding table.

When you change the state of an entry to disable, the binding is invalidated.

　Disable specifying MAC devices to surf the internet

Sometimes it is necessary to modify the Mac binding settings because the security needs to prohibit certain computers from surfing the internet, such as financial and security computers.

① The default undefinedhost parameter is block, the parameter is set to allow, it means that all but the bound MAC address can be connected to the Internet;

② New Access Network Policy, source address Select the IP address group to bind the MAC address, action option deny;

③ puts the newly created policy on the policy that allows access to the extranet;

④ Change the IP address of the NIC that binds the MAC address to 10.0.1.89, the firewall policy prohibits access to the external network IP is 10.0.1.88;

⑤ is still unable to access the extranet, and the policy does not prevent 10.0.1.89 from accessing the extranet, stating that Mac bindings are blocked.

　 Disable Login Firewall

Firewall if you know the account number and password, it is easy to login from the intranet, for security needs to prohibit access to the firewall from within, you can modify the Mac binding settings.

When you modify the BINDTOFW parameter to enable, all IP-bound MAC addresses can be connected to the Internet, but cannot log in to the firewall.

Flight Tower (Fortinet) firewall configuration-bind MAC address (interface-based)