MAC+IP Clones
Genian ZTNA can detect MAC / IP theft in a variety of ways. The Network Sensor periodically sends an ARP request to check the operation status of Nodes. If two MAC's answer to a request for one IP, Genian ZTNA designates the more recently detected Node as a critical Node.
In addition, if the user changes the MAC on the endpoint where the Agent is installed and the MAC is already being used by another device, that device is then designated as a critical Node. Genian ZTNA provides industry-leading platform detection to detect when a Node is changing to another platform, allowing administrators to see when changes are made, and to block devices when unauthorized platform changes are detected.
Configure Settings for MAC+IP Clones in Anomaly Definition
- Go to Policy in the top panel.
- Go to Policy > Node Policy > Anomaly Definition in the left Policy panel.
- Click MAC+IP Clones.
- Find Anomaly Event section to configure more options.
- For MAC Spoofing Detection, optional setting to specify whether an interface's MAC address is manually changed is also detected.
- Click Update
Create Node Group For MAC+IP Cloned
- Go to Policy in the top panel.
- Go to Policy > Group > Node in the left Policy panel.
- Click on Tasks > Create
- For ID: MAC+IP Cloned.
- For Status: Enabled.
- For Boolean Operator select OR.
- Find and click on Add in Condition section.
- For each Anomaly you want to add use the followings:
- Options: Anomaly
- Operator: Detected is one of
- Value: MAC+IP Clones
- Click Add.
- Keep adding Conditions as needed.
- Click Save.