ARP Enforcement does not block network access

Symptom

A node which should be blocked from network access by an Enforcement Policy still has network access even though the Enforcement Policy is enabled and the associated Sensor is set to Enforcement Mode, and the local config on the sensor shows that the node is being blocked.

Cause

  • Some IDS/IPS or EDR solutions may detect and block the ARP Enforcement action of the sensor, because it is incorrectly identified as a network attack.

Resolution

Add Exceptions for Genian NAC in conflicting Security Products

To resolve the issue, make an exception for the Sensor IP(s). Depending on the configuration of your enforcement policies, and your other network security solutions, additional exceptions may be required.

Example exception: ESET Endpoint Security