"ARP cache poisoning attack blocked" if SonicWall TZ-Series hardware firewall system is being used.
Last Updated December 19, 2018
"ARP cache poisoning attack blocked" message generated several times by Symantec Endpoint Protection (SEP) client installed on MAC OS when SonicWall TZ-Series hardware firewall system is being used.
In Symantec Endpoint Protection 12.1.4 for Mac and later, you see intrusion prevention signatures with a given category of "Built-in". These signatures are present even before LiveUpdate runs for the first time. One of the mentioned built-in signatures detects attempts to modify your Internet address cache using unrequested ARP (Address Resolution Protocol) packets. For more details about built-in rules, including "ARP Cache Poison" see: http://www.symantec.com/docs/TECH210644
It has been observed, that SonicWall TZ-Series hardware firewall system is attempting to access the ARP cache in order to validate the allowed MAC addresses configured in it`s own settings. This behavior is being interpreted by SEP client`s "Intrusion Prevention System" as mentioned attack attempt.
You can try one of following solutions:
Uncheck "Enable - MAC-IP based anti-spoofing" within your SonicWall device settings:
If details of the message indicate, that the "attacker`s" IP address is your SonicWall T-Series device, you can deactivate the built in "ARP Cache Poison" rule within the Intrusion Prevention policy of Endpoint Protection:
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe