USG40 log entry: possible ARP spoofing

copossum

Hi,

the following entry pops up in  the firewall log periodically:

Possible ARP spoofing attack on IP 192.168.1.140. Current hardware address is XXX
where XXX is the correct MAC address for the IP.
The IP used to belong to another device.

Question: how can I get rid of the entry? It is only a minor nuisance, but still...

thank you

Zyxel_Cooldia

Hi @copossum,

You need tp enter CLI "no arpseal activate" to turn off it.

Router(config)# no arpseal activate

Router(config)# write

copossum

hi,

thank you for your kind answer.

what exactly does this command do? I ask because we have entries in the ARP table that we need to be there in order for WoL to work.

Also, I tried removing the entry for IP 192.168.1.140 with the command

no arp 192.168.1.140

followed by the write command, but that does not change anything, the entry is still there.

thank you again

Zyxel_Cooldia

Hi @copossum,

It's mechanism to detect if someone (Man-in-the-middle) is trying to do ARP Spoofing in this network.

The attacker uses a spoofing tool, such as Arpspoof or Driftnet, to send out fake ARP packets.

We would not suggest to disable it since it would cause network issue when it have ARP Spoofing in this network.

copossum

hi, thank you,

just to be clear: the command "no arpseal activate" is a mechanism to detect if someone is trying to do ARP Spoofing?
and you do not recommend it?

Zyxel_Cooldia

Hi @copossum,
This is just a CLI to turn off detection. We would suggest to check why your Lan have device doing ARP spoofing. It is abnormal in layer 2 network.