Use Static MAC Address Binding

You can control access to an interface on your Firebox or XTM device by computer hardware (MAC) address. This feature can protect your network from ARP poisoning attacks, in which hackers try to change the MAC address of their computers to match a real device on your network. To use MAC address binding, you must configure the interface to associate a client IP address with a MAC address. If this feature is enabled, a computer with a specified MAC address can send and receive information only if it uses the associated IP address. You can also use this feature to block all network traffic to devices that match the MAC and IP addresses on this list.

This feature is similar to the MAC access control feature, except that static MAC address binding associates each MAC address with a specific IP address.

For information about MAC access control, see Restrict Network Traffic by MAC Address.

If you choose to restrict network access by MAC address binding, make sure that you include the MAC address for the computer you use to administer your Firebox or XTM device.

To configure the static MAC address binding settings:

  1. Select Network > Interfaces. Select an interface, then click Configure.
  2. Select the Advanced tab.
  3. Adjacent to the Static MAC/IP Address Binding table, click Add.

Network configuration, advanced settings, static MAC/IP address binding

  1. Type an IP Address and a MAC Address. Click OK.
    Repeat this step to add each IP address and MAC address pair. The IP address must be on the same subnet as the primary or secondary IP address of the interface.
  2. Select or clear the Only allow traffic sent from or to these MAC/IP addresses check box to enable the behavior you want for this interface.

If you do not select this check box:

The device allows all traffic that does not match entries in the list, or that exactly matches entries in the list. The device does not allow traffic through this interface if:

If you select this check box:

The device allows traffic through the interface only if the source or destination IP address and MAC address matches an entry on the list. All other traffic is not allowed through the interface.

See Also

Find the MAC Address of a Computer

Restrict Network Traffic by MAC Address

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base