Suddenly receiving IP_SPOOF Violations in XG 210 from allowed source

Question

Hello: 
 
 Yesterday I started seeing these IP_SPOOF violations from our remote site that is on the allowed list in the DNAT firewall rule. They are unable to connect or ping our DNAT devices setup behind the firewall. We can connect to them with out any problem. This happened after the latest update to the firewall ( SFOS 20.0.2 MR-2-Build378). I have rebooted both firewalls (in Active-Passive cluster) as well as the switch that connects them. I have also rebooted to router that handles the external public IP addressing. I have never seen this before. Does anyone have any thought? 
 
 Thank you

Clay Tsuhako · Accepted Answer

Issue solved. There was a port that was using the same IP address as the gateway IP.

sanket.shah · Answer

As IPs are not seen correctly (obviously due to personal data hiding, GDPR perspective), I am guessing it's same public IP (65.x.x.x) from where ARP request is being seen from multiple interfaces like Port2/Port4/Port5. Could it be confirmed? 
 If that's the case, it violates the reverse path check and would drop against IP SPOOFING if enabled. 
 It looks there is some periphery switch which might be sending ARP requests on all ports of SFOS which is connected to it.

Suddenly receiving IP_SPOOF Violations in XG 210 from allowed source

Top Replies