Use Static MAC Address Binding

You can control access to an interface on your Firebox by computer hardware (MAC) address. This feature can protect your network from ARP poisoning attacks, in which hackers try to change the MAC address of their computers to match a real device on your network. To use MAC address binding, you must configure the interface to associate a client IP address with a MAC address. If this feature is enabled, a computer with a specified MAC address can send and receive information only if it uses the associated IP address. You can also use this feature to block all network traffic to devices that match the MAC and IP addresses on this list.

This feature is similar to the MAC access control feature, except that static MAC address binding associates each MAC address with a specific IP address. For information about MAC access control, see Restrict Network Traffic by MAC Address.

When you configure static MAC address binding, you can select the Only allow traffic sent from or to these MAC/IP addresses check box

If you select this check box:

The device allows traffic through the interface only if the source or destination IP address and MAC address matches an entry on the list. All other traffic is not allowed through the interface.

If you do not select this check box:

The device allows all traffic that does not match entries in the list, or that exactly matches entries in the list. The device does not allow traffic through this interface if:

  • Traffic is for a source or destination IP address on the list, but the MAC address does not match
  • Traffic is for a source or destination MAC address on the list, but the IP address does not match

If you use MAC address binding to restrict network access, make sure that you include the MAC address for the computer you use to administer your Firebox.

See Also

Find the MAC Address of a Computer

Restrict Network Traffic by MAC Address