03-06-2023 05:03 PM
Looking for a solution for ARP spoofing within a network to protect against MiM attacks. Our security team has asked us to implement such a solution after performing successful MiM ARP spoofing within a segment, simulating a compromised host.
All network segments in the data center use the PA as the gateway. The switch VLAN's are L2 only. If the switches were L3 VLANs I could look at Dynamic ARP inspection and DHCP snooping.
I've started looking at PA zone protection but uncertain if it would work and specifically what I need to configure.
Any ideas / links / experience?
03-06-2023 06:52 PM - edited 04-10-2023 12:46 PM
Hi @ParkerFoster ,
You don't need L3 switches to do DAI and DHCP Snooping. They can be configured on L2 switches. It works like this:
The switch will build the DHCP Snooping binding table. Any ARP response that does not match the IP-MAC pair in the table is dropped.
04-10-2023 11:02 AM
Thanks Tom, sorry for the delayed response and thanks for your response. Two factors affecting this as a workable / scalable solution are 1) we don't use DHCP in our data centers and 2) using static MAC tables simply isn't scalable for the data center. I'm hoping Palo Zome Protection, and specifically strict IP check in Packet Protection will help.
04-10-2023 01:04 PM
Hi @ParkerFoster ,
Strict IP Address Check under the Zone Protection Profile is a more strict version of Spoofed IP Address. Click on the ? in the upper right to see the details. Those options correspond to uRPF and Strict uRPF in the general sense.
The NGFW does not mitigate ARP spoofing. That should be done on a switch so that it can protect all devices connected to the switch.
With regard to scalability, someone manually configures the IP address of every device. You could add an extra step to configure the MAC table, or consider moving everything to DHCP.
04-10-2023 02:35 PM
Hey Tom, thanks so much for your input. One concern I have is the switch doesn't have a L3 SVI, it is L2 only. I know you said it works on L2 switch VLAN interfaces but I don't understand how a switch can enforce ARP restrictions when it sees no ARP for the VLAN.
I was thinking more about this, and if it does work, my primary concern is to protect the gateway itself, so perhaps this is do-able without worrying about scaling. Example:
arp access-list Vlan84-Gateway-Protect
permit ip host 10.100.84.1 mac host xxx.xxx.xxx.xxx !! assign static entry for Palo FW gateway only !!
deny ip host 10.100.84.1 mac any !! deny anyone else from gateway MAC !!
permit ip any mac any !! permit all others !!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!