To edit MAC-IP Anti-Spoof settings within the Network Security Appliance management interface, go to the Network > MAC-IP Anti-spoof page.
To configure settings for a particular interface, click the Configure icon for the desired interface.
The Settings dialog is now displayed for the selected interface. In this dialog, the following settings can be enabled or disabled by clicking on the corresponding checkbox. Once your setting selections for this interface are complete, click OK. The following options are available:
|
•
|
Enable: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface
|
|
•
|
Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries
|
|
•
|
DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the firewall DHCP server
|
|
•
|
DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the DHCP relay, based on IP Helper. To learn about changes to IP Helper, see Extension to IP Helper .
|
|
•
|
ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.
|
|
•
|
ARP Watch: Enables generation of unsolicited unicast ARP responses towards the client’s machine for every MAC-IP cache entry on the interface. This process helps prevent man-in-the-middle attacks.
|
|
•
|
Enforce Anti-Spoof: Enables ingress control on the interface, blocking traffic from devices not listed in the MAC-IP Anti-Spoof cache.
|
|
•
|
Spoof Detection List: Logs all devices that fail to pass Anti-spoof cache and lists them in the Spoof Detected List.
|
|
•
|
Allow Management: Allows through all packets destined for the appliance’s IP address, even if coming from devices currently not listed in the Anti-Spoof cache.
|
The Add Static MAC-IP Anti-spoof dialog is displayed.
|
1
|
Click the Add button below the Anti-Spoof Cache table. The Add Static MAC-IP Anti-spoof dialog is displayed.
|
|
2
|
In the Interface drop-down list, select the interface on which traffic from the device will arrive.
|
|
3
|
In the IP Address field, type in the IP address of the device.
|
|
4
|
In the MAC Address field, type in the MAC address of the device.
|
|
5
|
|
6
|
To put this device on the blacklist and block traffic from it, select the A blacklisted device checkbox.
|
|
7
|
Click OK.
|
If you need to edit a static Anti-Spoof cache entry, select the checkbox to the left of the IP address, then click the pencil icon, under the Configure column, on the same line.
To clear cache statistics, select the desired devices, then click Clear Stats.
If you wish to see the most recent available cache information, click the Refresh button.
The Spoof Detected List displays devices that failed to pass the ingress anti-spoof cache check. Entries on this list can be added as a static anti-spoof entry. To do this, click on the Edit icon, under the Add column, for the desired device. An alert message dialog will open, asking if you wish to add this static entry. Click OK to proceed or Cancel to return to the Spoof Detected List.
Entries can be flushed from the list by clicking the Flush button. The name of each device can also be resolved using NetBios, by clicking the Resolve button.
You can identify a specific device(s) by using the table Filter function.
|
|||||||||
|
|||||||||
To support leases from the DHCP relay subsystem of IP Helper, the following changes have been made in the IP Helper panel, located at Network > IP Helper:
|
•
|
MAC and IP address bindings from the leases are transferred into the MAC-IP Anti-Spoof cache.
