Spoof Detected List

Spoof Detected List display is available only at the Unit level.

The Spoof Detected List displays devices that failed to pass the ingress anti-spoof cache check. With SonicOS 7.3, this list also includes devices detected by Layer 2 MAC-IP Anti-Spoof enforcement on Native Bridge member interfaces and L2B interfaces. Entries from Layer 2 enforcement include the specific Native Bridge member or L2B interface where the device was detected, enabling administrators to pinpoint the exact network segment involved. Entries on this list can be added as a static anti-spoof entry.

To view the Spoof Detected List

1. Click Request Spoof Detected List from Firewall.

Entries can be flushed from the list by clicking Flush. The name of each device can also be resolved using NetBIOS, by clicking Resolve.

Spoof Detected List entries from Native Bridge member interfaces display the member interface name (for example, X1, X2) rather than the Native Bridge Host interface name, allowing you to identify which physical port or VLAN sub-interface the spoofing device is connected to.

To add an entry to the static anti-spoof list

1. Navigate to the NETWORK | System > MAC-IP Anti-Spoof page.
2. Click the Edit icon under the Add column for the desired device. An alert message window opens, asking if you wish to add this static entry.
3. Click OK to proceed.

When investigating ARP poisoning attacks in Native Bridge deployments, cross-reference the Spoof Detected List entries with the Packet Monitor output. The Spoof Detected List identifies which device was spoofing and on which Native Bridge member interface, while Packet Monitor shows the actual dropped packets.