Configuring IP Change Preventions
=================================

You can prevent users from changing their IP Address. Changing an IP can lead
to conflicts or compromising issues where users can gain privileges they were
not intended to have. For instance, an Administrator could have a designated IP
Address set up to allow internet access, while all others are blocked. If an
employee is able to change their IP to that designated address, then that
employee will gain internet access when they are not allowed to.

How IP Change Prevention Works
------------------------------

The Sensor watches and analyzes packets that are being sent from each device.
When a new node is detected, the Sensor sends a gratuitous ARP request. If a
machine receives an ARP request containing a source IP that is different than
the previously used IP for that MAC, then it knows a change has occurred, and
the offending node will be enforced against.

To Enable IP Change Prevention
------------------------------

#. Go to **Management > Node** in the top panel
#. Click on the desired node **IP**
#. Click **Policy** tab
#. Find **MAC Policy** section, click **Allow MAC - Enable Change Prevention
   (Choose: Specific Network or All Networks)**
#. Enter **IP Address(es)** in the form below to allow them to be used the
   selected device.

6. Click **Update**

To Disable IP Change Prevention
-------------------------------

#. Go to **Management > Node** in the top panel
#. Click on the desired node **IP**
#. Click **Policy** tab
#. Find **MAC Policy** section, click **Allow MAC –
   Disable Change Prevention**
#. Click **Update**

.. warning:: This feature should only be used on nodes using a static IP to
             avoid accidental blocking.