Table of Contents
Advertisement
All packets that would normally be matched with policies to be able to go through the firewall are first
compared with the entries in the IP/MAC binding list. If a match is found, then the firewall attempts to match
the packet with a policy.
For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list:
•
A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be
matched with a firewall policy.
•
A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP
spoofing.
•
A packet with a different IP address but with a MAC address of 12:34:56:78:90:ab:cd is dropped
immediately to prevent IP spoofing.
•
A packet with both the IP address and MAC address not defined in the IP/MAC binding table:
•
is allowed to go on to be matched with a firewall policy if IP/MAC binding is set to Allow traffic,
•
is blocked if IP/MAC binding is set to Block traffic.
Configuring IP/MAC binding for packets going to the firewall
Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the
firewall (for example when an administrator is connecting to the DFL-500 NPG for management).
•
Go to Firewall > IP/MAC Binding > Setting .
•
Select Enable IP/MAC binding going to the firewall.
•
Go to Firewall > IP/MAC Binding > Static IP/MAC .
•
Select New to add IP/MAC binding pairs to the IP/MAC binding list.
All packets normally allowed to connect to the firewall are compared with the entries in the IP/MAC binding
table. If a match is found in the IP/MAC binding table:
•
If IP/MAC binding is set to Allow traffic, then IP/MAC binding allows the packet to connect to the
firewall.
•
If IP/MAC binding is set to Block traffic, then IP/MAC binding stops the packet from connecting to the
firewall.
Adding IP/MAC addresses
•
Go to Firewall > IP/MAC Binding > Static IP/MAC .
•
Select New to add an IP address/MAC address pair.
•
Enter the IP address and the MAC address.
You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC
addresses to the same IP address.
However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all
packets with these MAC addresses are matched with the IP/MAC binding list.
Similarly, you can set the MAC address to 00:00:00:00:00:00 for multiple IP addresses. This means
that all packets with these IP addresses are matched with the IP/MAC binding list.
•
Enter a Name for the new IP/MAC address pair.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special
characters - and _. Other special characters and spaces are not allowed.
•
Select Enable to enable IP/MAC binding for the IP/MAC pair.
•
Select OK to save the IP/MAC binding pair.
DFL-500 User Manual
41
Advertisement
Table of Contents
