What is the best way to locate a rouge devices MAC address that was connected to our network using XGS firewall and or XDR?
Hello FrasianX0 ,Thank you for reaching out to the community, Enable Spoof protection trusted MAC
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
When you say "was connected" are you asking a hypothetical as in "given that a rogue device is connected, how would you detect it" or do you literally mean that one was connected in the past and you're trying to look back to figure out what and when?
Assuming you're wanting to look into the past: I'm thinking if the device got an IP address via DHCP, that associates a MAC address with the IP and the record of that might still be accessible. Also, there are neighbor tables that have MAC addresses of neighbors.
But MAC addresses can be spoofed, so do you really want a MAC address? What's your goal? Also, was this wired or wireless (and do you use Sophos APs)?