Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/support/surf/en-us/index.html?contextId=sf-medium-logging-ARP

Logging of possible ARP Poisoning attempts

Medium

Explanation

An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows attackers to intercept communication between network devices. A possible ARP Poisoning attempt can be mitigated by enabling Spoof protection along with other configurations described below.

Resolution

  1. Go to Protect > Intrusion Prevention > DoS & Spoof Protection.
  2. Ensure Enable spoof prevention is checked on LAN and DMZ zones.
  3. Ensure Apply Flag is checked on SYN flood, UDP flood, TCP flood, ICMP/ICMPv6 flood on both Source and Destination.
  4. Ensure Apply Flag is checked on Dropped source routed packets, Disable ICMP/ICMPv6 redirect packet, ARP hardening on Destination.
  5. Ensure that the DoS bypass rule is not added with wide range of source or destination networks that will reduce integrity of overall DoS protection.