FortiGate Transparent mode MAC address table
To create a VLAN using the GUI Show
Under Network > _________ click on '+Create New' then select 'Interface'. After that in the Type drop-down list select 'VLAN'. Specify the VLAN __ and the physical ________ to which the VLAN will be bound. Frames that belong to interfaces of that type are always tagged. On the other hand, frames sent or received by the physical interface segment are never tagged. They belong to what is called the native VLAN (VLAN ID 0). ARP Inspection and the MAC Address Table for Transparent Firewall ModeThis chapter describes how to customize the MAC address table and configure ARP Inspection for bridge groups. About ARP Inspection and the MAC Address TableFor interfaces in a bridge group, ARP inspection prevents a “man-in-the-middle” attack. You can also customize other ARP settings. You can customize the MAC address table for bridge groups, including adding a static ARP entry to guard against MAC spoofing. ARP Inspection for Bridge Group TrafficBy default, all ARP packets are allowed between bridge group members. You can control the flow of ARP packets by enabling ARP inspection. ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router. ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table. When you enable ARP inspection, the ASA compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
MAC Address TableWhen you use bridge groups, the ASA learns and builds a MAC address table in a similar way as a normal bridge or switch: when a device sends a packet through the bridge group, the ASA adds the MAC address to its table. The table associates the MAC address with the source interface so that the ASA knows to send any packets addressed to the device out the correct interface. Because traffic between bridge group members is subject to the ASA security policy, if the destination MAC address of a packet is not in the table, the ASA does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the following packets for directly-connected devices or for remote devices:
The original packet is dropped. Default Settings
Guidelines for ARP Inspection and the MAC Address Table
Configure ARP Inspection and Other ARP ParametersFor transparent firewall mode bridge groups, you can enable ARP inspection. You can also configure other ARP parameters for both bridge groups and for routed mode interfaces. ProcedureAdd a Static ARP Entry and Customize Other ARP ParametersBy default for bridge groups, all ARP packets are allowed between bridge group member interfaces. You can control the flow of ARP packets by enabling ARP inspection. ARP inspection compares ARP packets with static ARP entries in the ARP table. For routed interfaces, you can enter static ARP entries, but normally dynamic entries are sufficient. For routed interfaces, the ARP table is used to deliver packets to directly-connected hosts. Although senders identify a packet destination by an IP address, the actual delivery of the packet on Ethernet relies on the Ethernet MAC address. When a router or host wants to deliver a packet on a directly connected network, it sends an ARP request asking for the MAC address associated with the IP address, and then delivers the packet to the MAC address according to the ARP response. The host or router keeps an ARP table so it does not have to send ARP requests for every packet it needs to deliver. The ARP table is dynamically updated whenever ARP responses are sent on the network, and if an entry is not used for a period of time, it times out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry needs to time out before it can be updated with the new information. For transparent mode, the ASA only uses dynamic ARP entries in the ARP table for traffic to and from the ASA, such as management traffic. You can also set the ARP timeout and other ARP behavior. Procedure
Enable ARP InspectionThis section describes how to enable ARP inspection for bridge groups. ProcedureEnable ARP inspection: arp-inspection interface_name enable [flood | no-flood] Example:
The flood keyword forwards non-matching ARP packets out all interfaces, and no-flood drops non-matching packets. The default setting is to flood non-matching packets. To restrict ARP through the ASA to only static entries, then set this command to no-flood. Customize the MAC Address Table for Transparent Mode Bridge GroupsThis section describes how you can customize the MAC address table for bridge groups. Add a Static MAC Address for Bridge GroupsNormally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the ASA drops the traffic and generates a system message. When you add a static ARP entry (see Add a Static ARP Entry and Customize Other ARP Parameters), a static MAC address entry is automatically added to the MAC address table. To add a static MAC address to the MAC address table, perform the following steps. ProcedureAdd a static MAC address entry: mac-address-table static interface_name mac_address Example:
The interface_name is the source interface. Set the MAC Address TimeoutThe default timeout value for dynamic MAC address table entries is 5 minutes, but you can change the timeout. To change the timeout, perform the following steps. ProcedureSet the MAC address entry timeout: mac-address-table aging-time timeout_value Example:
The timeout_value (in minutes) is between 5 and 720 (12 hours). 5 minutes is the default. Configure MAC Address LearningBy default, each interface automatically learns the MAC addresses of entering traffic, and the ASA adds corresponding entries to the MAC address table. You can disable MAC address learning if desired, however, unless you statically add MAC addresses to the table, no traffic can pass through the ASA. To configure MAC address learning, perform the following steps: ProcedureDisable MAC address learning: mac-learn interface_name disable Example:
The no form of this command reenables MAC address learning. The clear configure mac-learn command reenables MAC address learning on all interfaces. Monitoring ARP Inspection and the MAC Address Table
History for ARP Inspection and the MAC Address Table
What is difference between NAT and transparent mode in FortiGate?The Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical. In NAT/Route mode, a FortiProxy unit is installed as a gateway or router between two networks.
What is virtual wire pair?A virtual wire pair consists of two interfaces that have no IP addresses and all traffic received by one interface in the pair can only be forwarded out the other; as controlled by firewall policies.
|