Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ohad
Explorer

Proxy ARP on DMZ networks

Dear all,

 

I have a strange issue with a product called AlienVault/Ossim.

 

For those of you who are unfamiliar with this tool - This machine basically runs a vulnerability tests on whichever network you configure it to be.

 

Now I have allowed this machine to scan my entire network.. The tool works fine.

 

However - When I try to run an asset scan(A scan which tells me how many hosts the machine found and resolved its IP to its FQDN) it gives me false positives hits on my DMZ network.

 

Meaning - In a non DMZ network if I have 5 hosts in a range of 100... It will show in the result only the relevant 5

In the DMZ however - It will show the entire 100 hosts...

 

In the article of the manufactur it states that this is due to Proxy ARP:

https://success.alienvault.com/s/article/Asset-discovery-creates-an-asset-for-every-IP-address

 

But I do not have any special NAT on my DMZ... Moreover I have a No_Nat rule for all my entire local networks.

 

From what I can see in the logs, on a non-DMZ network there are only 7 hits(ICMP,80,443)

On the DMZ there are hundreds of logs(For a specific non-existing host) but all of them with the "Connection terminated before detection: Insufficient data passed.
To learn more see sk113479."

 

I would really appreciate if someone could explain to me what is this weird behavior and how to bypass it... And if I should cancel it all together. 

 

With Regards,

 

Ohad.

 

 

 

 

0 Kudos
1 Reply
Timothy_Hall
Champion
Champion

This is unlikely to be related to proxy ARP unless you have mistakenly set up an Automatic Static NAT for a network object when you meant to do a Hide NAT.  fw ctl arp can be used to verify that the firewall is not trying to proxy ARP for nonexistent DMZ addresses.

This is almost certainly due to the "Protocol Signature" option being set on the service object(s) your DMZ scan is matching in the policy, please carefully read my post in the following thread in its entirety:  Enable Protocol Signature by default

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events