USG40 log entry: possible ARP spoofing

copossum
copossum Posts: 13  Freshman Member
First Comment Third Anniversary
Hi,

the following entry pops up in  the firewall log periodically:

Possible ARP spoofing attack on IP 192.168.1.140. Current hardware address is XXX
where XXX is the correct MAC address for the IP.
The IP used to belong to another device.

Question: how can I get rid of the entry? It is only a minor nuisance, but still...

thank you

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited September 2022
    Hi @copossum,

    You need tp enter CLI "no arpseal activate" to turn off it.
    Router(config)# no arpseal activate
    Router(config)# write
  • copossum
    copossum Posts: 13  Freshman Member
    First Comment Third Anniversary
    hi,

    thank you for your kind answer.
    what exactly does this command do? I ask because we have entries in the ARP table that we need to be there in order for WoL to work.

    Also, I tried removing the entry for IP 192.168.1.140 with the command
    no arp 192.168.1.140
    followed by the write command, but that does not change anything, the entry is still there.

    thank you again

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited September 2022
    It's mechanism to detect if someone (Man-in-the-middle) is trying to do ARP Spoofing in this network.
    The attacker uses a spoofing tool, such as Arpspoof or Driftnet, to send out fake ARP packets.
    We would not suggest to disable it since it would cause network issue when it have ARP Spoofing in this network.
  • copossum
    copossum Posts: 13  Freshman Member
    First Comment Third Anniversary
    hi, thank you,
    just to be clear: the command "no arpseal activate" is a mechanism to detect if someone is trying to do ARP Spoofing?
    and you do not recommend it?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @copossum,
    This is just a CLI to turn off detection. We would suggest to check why your Lan have device doing ARP spoofing. It is abnormal in layer 2 network.

Security Highlight