To edit MAC-IP Anti-Spoof settings within the Network Security Appliance management interface, go to the Network > MAC-IP Anti-spoof page.
To configure settings for a particular interface, click the Configure icon for the desired interface.
The Settings window is now displayed for the selected interface. In this window, the following settings can be enabled or disabled by clicking on the corresponding check box. Once your setting selections for this interface are complete, click OK. The following options are available:
|
•
|
Enable—To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface
|
|
•
|
Static ARP—Allows the Anti-Spoof cache to be built from static ARP entries
|
|
•
|
DHCP Server—Allows the Anti-Spoof cache to be built from active DHCP leases from the SonicWall DHCP server
|
|
•
|
DHCP Relay—Allows the Anti-Spoof cache to be built from active DHCP leases, from the DHCP relay, based on IP Helper. To learn about changes to IP Helper, see Extension to IP Helper.
|
|
•
|
ARP Lock—Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.
|
|
•
|
ARP Watch—Enables generation of unsolicited unicast ARP responses towards the client’s machine for every MAC-IP cache entry on the interface. This process helps prevent man-in-the-middle attacks.
|
|
•
|
Enforce Anti-Spoof—Enables ingress control on the interface, blocking traffic from devices not listed in the MAC-IP Anti-Spoof cache.
|
|
•
|
Spoof Detection List—Logs all devices that fail to pass Anti-spoof cache and lists them in the Spoof Detected List.
|
|
•
|
Allow Management—Allows through all packets destined for the appliance’s IP address, even if coming from devices currently not listed in the Anti-Spoof cache.
|
