Use Static MAC Address Binding
You can control access to an interface on your Firebox by computer hardware (MAC) address. This feature can protect your network from ARP poisoning attacks, in which hackers try to change the MAC address of their computers to match a real device on your network. To use MAC address binding, you must configure the interface to associate a client IP address with a MAC address. If this feature is enabled, a computer with a specified MAC address can send and receive information only if it uses the associated IP address. You can also use this feature to block all network traffic to devices that match the MAC and IP addresses on this list.
This feature is similar to the MAC access control feature, except that static MAC address binding associates each MAC address with a specific IP address. For information about MAC access control, go to Restrict Network Traffic by MAC Address.
When you configure static MAC address binding, you can select the Only allow traffic sent from or to these MAC/IP addresses check box
If you select this check box:
The device allows traffic through the interface only if the source or destination IP address and MAC address matches an entry on the list. All other traffic is not allowed through the interface.
If you do not select this check box:
The device allows all traffic that does not match entries in the list, or that exactly matches entries in the list. The device does not allow traffic through this interface if:
- Traffic is for a source or destination IP address on the list, but the MAC address does not match
- Traffic is for a source or destination MAC address on the list, but the IP address does not match
If you use MAC address binding to restrict network access, make sure that you include the MAC address for the computer you use to administer your Firebox.
- Select Network > Interfaces.
- Select an interface, then click Configure.
- Select the Advanced tab.
- Adjacent to the Static MAC/IP Address Binding list, click Add.
- Type an IP Address and a MAC Address. Click OK.
Repeat this step to add each IP address and MAC address pair. The IP address must be on the same subnet as the primary or secondary IP address of the interface. - Select or clear the Only allow traffic sent from or to these MAC/IP addresses check box to enable the behavior you want for this interface.
- Select Network > Configuration.
- Select an interface, then click Configure.
- Select the Advanced tab.
- Adjacent to the Static MAC/IP Address Binding list, click Add.
- Type an IP Address and a MAC Address. Click OK.
Repeat this step to add each IP address and MAC address pair. The IP address must be on the same subnet as the primary or secondary IP address of the interface. - Select or clear the Only allow traffic sent from or to these MAC/IP addresses check box to enable the behavior you want for this interface.