MAC+IP Clones
=============

Genian ZTNA can detect MAC / IP theft in a variety of ways. The Network Sensor
periodically sends an ARP request to check the operation status of Nodes. If
two MAC's answer to a request for one IP, Genian ZTNA designates the more
recently detected Node as a critical Node.

In addition, if the user changes the MAC on the endpoint where the Agent is
installed and the MAC is already being used by another device, that device is
then designated as a critical Node. Genian ZTNA provides industry-leading
platform detection to detect when a Node is changing to another platform,
allowing administrators to see when changes are made, and to block devices when
unauthorized platform changes are detected.

Configure Settings for MAC+IP Clones in Anomaly Definition
----------------------------------------------------------

#. Go to **Policy** in the top panel.
#. Go to **Policy > Node Policy > Anomaly Definition** in the left Policy
   panel.
#. Click **MAC+IP Clones.**
#. Find **Anomaly Event** section to configure more options.

   - For **MAC Spoofing Detection**, optional setting to specify whether an
     interface's MAC address is manually changed is also detected.

#. Click **Update**

Create Node Group For MAC+IP Cloned
-----------------------------------

#. Go to **Policy** in the top panel.
#. Go to **Policy > Group > Node** in the left Policy panel.
#. Click on **Tasks > Create**
#. For **ID:** MAC+IP Cloned.
#. For **Status:** Enabled.
#. For **Boolean Operator**  select **OR.**
#. Find and click on **Add** in **Condition** section.
#. For each **Anomaly** you want to add use the followings:

   - **Options:** Anomaly
   - **Operator:** Detected is one of
   - **Value:** MAC+IP Clones

#. Click **Add.**
#. Keep adding **Conditions** as needed.
#. Click **Save.**