Spoofed ARP

Genian ZTNA can detect any spoofed ARP packets sent in a variety of ways. The Network Sensor listens for ARP replies on a network and checks of them whether there may be any changes or differences between the ARP sender MAC address and the Ethernet source MAC address. If two responses are sent are different from each other, Genian ZTNA suspends the spoofed ARP packets sent and designates the Node with the Ethernet source MAC address as a critical one. In addition, if the number of response packets allowed are more than the specified value, that Node is then designated as a critical one.

Note

If you use Virtual Router Redundancy Protocol (VRRP), the sender MAC address may differ from the Ethernet source MAC address, a real MAC address. Genian ZTNA discovers any cases of VRRP, HSRP or GLBP so that these cases will not be detected as an Anomaly.

Configure Settings for Spoofed ARP in Anomaly Definition

  1. Go to Policy in the top panel.
  2. Go to Policy > Node Policy > Anomaly Definition in the left Policy panel.
  3. Click Spoofed ARP.
  4. Find Anomaly Event section to configure more options.
    • For Event Duration, optional setting to specify how long the spoofed ARP response packets are sent:
    • For Number of Allowable Spoofed ARP Responses, optional setting to specify the threshold to trigger the anomaly detection.
  5. Click Update.

Create Node Group For Spoofed ARP Sent

  1. Go to Policy in the top panel.
  2. Go to Policy > Group > Node in the left Policy panel.
  3. Click on Tasks > Create
  4. For ID: Spoofed ARP Sent.
  5. For Status: Enabled.
  6. For Boolean Operator select OR.
  7. Find and click on Add in Condition section.
  8. For each Anomaly you want to add use the followings:
    • Options: Anomaly
    • Operator: Detected is one of
    • Value: Spoofed ARP
  9. Click Add.
  10. Keep adding Conditions as needed.
  11. Click Save.