Configure ARP inspection

Configure ARP inspection to ensure that only valid ARP packets are accepted on your network, reducing the risk of ARP spoofing and related attacks.

  • Apply ARP inspection policies to specific interfaces and security zones.

  • Add static ARP entries for enhanced control and security.

By default, all ARP packets are allowed between bridge group members. You can control the flow of ARP packets by enabling ARP inspection.

ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router.

ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table.

When you enable ARP inspection, the Firewall Threat Defense device compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:

  • If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.

  • If there is a mismatch between the MAC address, the IP address, or the interface, then the Firewall Threat Defense device drops the packet.

  • If the ARP packet does not match any entries in the static ARP table, then you can set the Firewall Threat Defense device to either forward the packet out all interfaces (flood), or to drop the packet.

    Note

    The dedicated Management interface never floods packets even if this parameter is set to flood.

Use this task when you need to protect your network from ARP spoofing by validating ARP packets and controlling ARP traffic on selected interfaces and zones.

Use ARP inspection in environments where network security is a priority and static ARP entries are needed.

Before you begin

Make sure you have device access and permission to edit platform settings and ARP inspection policies.

  • Have the list of interfaces and security zones where ARP inspection will be applied.

  • Prepare the static ARP entries that you intend to add.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Select ARP Inspection.

Step 3

Add entries to the ARP inspection table.

  1. Click Add to create a new entry, or click Edit if the entry already exists.

  2. Select the desired options.

    • Inspect Enabled—To perform ARP inspection on the selected interfaces and zones.

    • Flood Enabled—Floods ARP requests that do not match static ARP entries to all interfaces except the originating or dedicated management interface. By default, this behavior is enabled.

      If you choose not to flood ARP requests, only requests that match static ARP entries are allowed.

    • Security Zones—Add the zones that contain the interfaces on which to perform the selected actions. The zones must be switched zones. For interfaces not in a zone, type the interface name into the field in the Selected Security Zone list and click Add. The device applies these rules only if it includes the selected interfaces or zones.

  3. Click OK.

Step 4

Add static ARP entries according to Add a Static ARP Entry.

Step 5

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

ARP inspection is enabled on the selected interfaces and security zones. Only valid ARP packets are accepted, and static ARP entries are enforced. The policy is active after deployment.