Suddenly receiving IP_SPOOF Violations in XG 210 from allowed source

As IPs are not seen correctly (obviously due to personal data hiding, GDPR perspective), I am guessing it's same public IP (65.x.x.x) from where ARP request is being seen from multiple interfaces like Port2/Port4/Port5. Could it be confirmed?

If that's the case, it violates the reverse path check and would drop against IP SPOOFING if enabled.

It looks there is some periphery switch which might be sending ARP requests on all ports of SFOS which is connected to it. 

Hi, Sanket:

Thanks for the reply. There is a UniFi switch that sits between the two firewalls.

Port 2, 4 and 5 on each firewall connects to the switch and the switch connects to the individual routers (Sprint, ATT, Comcast). The requests are being seen by all the ports but it should only go to port to as that is how the rule is setup in DNAT. 

Should I try bypassing the switch? What would be the proper way to do that in HA mode?

Thank you.

Are you facing any challenge in accessing DNATed service?

If DNAT service is accessible without any issue, it's possible that these ARP requests might be getting dropped earlier as well but not seen until packet capture is run.

Switch would be required for HA deployment so if there is no change happened on switch side recently, it might be behaving similar way earlier also.

If you are facing issue in accessing DNATed service due to this, you might want to disable spoofing functionality and check it once.

We are having DNAT issues. The two servers that we have DNATed aren't accessible from our remote location (can't ping or connect). They can ping the gateway IP but nothing behind it.

Also, spoofing functionality is not turned on I believe. Where would I check that? I usually don't touch the firewall if I can help it.

Thank you.

Could you please check under "Intrusion prevention >>> Dos and spoof protection" and "Network >>> Neighbors (ARP-NDP)" whether any functionality is enabled? Screenshot would help.

Also, please share access id over PM.

Issue solved. There was a port that was using the same IP address as the gateway IP.