"ARP cache poisoning attack blocked" if SonicWall TZ-Series hardware firewall system is being used.

book

Article ID: 169516

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

"ARP cache poisoning attack blocked" message generated several times by Symantec Endpoint Protection (SEP) client installed on MAC OS when SonicWall TZ-Series hardware firewall system is being used.

Cause

In Symantec Endpoint Protection 12.1.4 for Mac and later, you see intrusion prevention signatures with a given category of "Built-in". These signatures are present even before LiveUpdate runs for the first time. One of the mentioned built-in signatures detects attempts to modify your Internet address cache using unrequested ARP (Address Resolution Protocol) packets. For more details about built-in rules, including "ARP Cache Poison" see: http://www.symantec.com/docs/TECH210644

It has been observed, that SonicWall TZ-Series hardware firewall system is attempting to access the ARP cache in order to validate the allowed MAC addresses configured in it`s own settings. This behavior is being interpreted by SEP client`s "Intrusion Prevention System" as mentioned attack attempt.

Resolution

You can try one of following solutions:

  1. Uncheck "Enable - MAC-IP based anti-spoofing" within your SonicWall device settings:

OR

  1. If details of the message indicate, that the "attacker`s" IP address is your SonicWall T-Series device, you can deactivate the built in "ARP Cache Poison" rule within the Intrusion Prevention policy of Endpoint Protection:

Attachments