This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ohad
Explorer
‎2022-12-28 07:08 AM

Proxy ARP on DMZ networks

Dear all,

 

I have a strange issue with a product called AlienVault/Ossim.

 

For those of you who are unfamiliar with this tool - This machine basically runs a vulnerability tests on whichever network you configure it to be.

 

Now I have allowed this machine to scan my entire network.. The tool works fine.

 

However - When I try to run an asset scan(A scan which tells me how many hosts the machine found and resolved its IP to its FQDN) it gives me false positives hits on my DMZ network.

 

Meaning - In a non DMZ network if I have 5 hosts in a range of 100... It will show in the result only the relevant 5

In the DMZ however - It will show the entire 100 hosts...

 

In the article of the manufactur it states that this is due to Proxy ARP:

https://success.alienvault.com/s/article/Asset-discovery-creates-an-asset-for-every-IP-address

 

But I do not have any special NAT on my DMZ... Moreover I have a No_Nat rule for all my entire local networks.

 

From what I can see in the logs, on a non-DMZ network there are only 7 hits(ICMP,80,443)

On the DMZ there are hundreds of logs(For a specific non-existing host) but all of them with the "Connection terminated before detection: Insufficient data passed.
To learn more see sk113479."

 

I would really appreciate if someone could explain to me what is this weird behavior and how to bypass it... And if I should cancel it all together. 

 

With Regards,

 

Ohad.

 

 

 

 

0 Kudos
1 Reply
Timothy_Hall
Legend Legend
Legend
‎2022-12-28 08:43 AM

This is unlikely to be related to proxy ARP unless you have mistakenly set up an Automatic Static NAT for a network object when you meant to do a Hide NAT.  fw ctl arp can be used to verify that the firewall is not trying to proxy ARP for nonexistent DMZ addresses.

This is almost certainly due to the "Protocol Signature" option being set on the service object(s) your DMZ scan is matching in the policy, please carefully read my post in the following thread in its entirety:  Enable Protocol Signature by default

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top