Hi all this post may be a little convoluted so please ask for any clarifying details. We have a WatchGuard UTM in bridge mode and it is dropping network traffic due to arp spoofing detection.
A little clarification on our architecture we have 2 Cisco routers on the boundary that also handle our DHCP and Inter-vlan traffic routing, these devices are using HSRPv2 for fail-over. We have those routers plugged into a switch (as the UTM in bridge mode only supports 2 interfaces, internal and external) and the UTM is between that switch and our core switch. Our printers are on the 10.0.0.0/24 Network along with our print server, user workstations are on a separate VLAN so all traffic between them is cross VLANs.
The logs for the drops we are seeing are:
Mar 19 8:51:21 2019 Corporate_M400 local0.err firewall: msg_id ="3000-012C" ARP spoofing attack detected, ip=10.0.0.234, mac=3c:52:82:c2:32:50, interface=3
Mar 19 8:51:52 2019 Corporate_M400 local0.err firewall: msg_id ="3000-012C" ARP spoofing attack detected, ip=10.0.0.234, mac=00:00:0c:9f:f0:11, interface=2
The IP in question belongs to an HP laserjet printer, and the MAC 3c:52:82:c2:32:50 is the correct one for that printer. However the second MAC belongs to our primary router which is handling the inter-VLAN routing.
Has anybody had any experience with this kind of issue? Is this a configuration on the routers that is doing this or is there something on these printers themselves that may be causing this issue? Any help would be appreciated.
No comments:
Post a Comment