"ARP cache poisoning attack blocked" message generated several times by Symantec Endpoint Protection (SEP) client installed on MAC OS when SonicWall TZ-Series hardware firewall system is being used.
In Symantec Endpoint Protection 12.1.4 for Mac and later, you see intrusion prevention signatures with a given category of "Built-in". These signatures are present even before LiveUpdate runs for the first time. One of the mentioned built-in signatures detects attempts to modify your Internet address cache using unrequested ARP (Address Resolution Protocol) packets. For more details about built-in rules, including "ARP Cache Poison" see: http://www.symantec.com/docs/TECH210644
It has been observed, that SonicWall TZ-Series hardware firewall system is attempting to access the ARP cache in order to validate the allowed MAC addresses configured in it`s own settings. This behavior is being interpreted by SEP client`s "Intrusion Prevention System" as mentioned attack attempt.
You can try one of following solutions:
Uncheck "Enable - MAC-IP based anti-spoofing" within your SonicWall device settings:
If details of the message indicate, that the "attacker`s" IP address is your SonicWall T-Series device, you can deactivate the built in "ARP Cache Poison" rule within the Intrusion Prevention policy of Endpoint Protection:
Subscribing will provide email updates when this Article is updated. Login is required.