SEP (Symantec Endpoint Protection) Mac users receive "Vulnerability BLOCKED" popups for ARP traffic, with "ARP Cache Poison" in SEP Vulnerability log details. But anti-MAC spoofing setting is disabled in the Mac Firewall policy settings at SEPM (SEP Manager).

"Vulnerability BLOCKED" popups on desktop.

"ARP Cache Poison" in SEP Vulnerability log details.

SEP for Mac versions 14.2.x

This is caused by remnants of Mac IPS (Intrusion Protection) policy settings from an older SEPM that has been upgraded to 14.2.x, along with the clients. That version of SEP for Mac should not alert users or log ARP traffic; it is handled silently as long as IPS is enabled. The "anti-MAC spoofing" checkbox in Mac firewall policy settings has no effect.

Re-create the IPS policy fresh at the SEPM so that the old Mac policy settings will not be present.