Ensure 'noproxyarp' is enabled for untrusted interfaces

Information

Disables the Proxy-ARP function on untrusted interfaces

Rationale:

The Firepower replies to ARP requests performed to IP addresses belonging to its interfaces' subnets and also to global IP addresses in some NAT configurations. Where the appliance is not asked to be a proxy for ARP requests, the Proxy-ARP function should be disabled especially on untrusted interfaces since attackers can act as legitimate devices by spoofing their IP addresses, perform ARP requests thus receiving packets intended to them.

Solution

Use the Predefined FlexConfig object found in Firepower Management Center:

FlexConfig Object Name - Sysopt_noproxyarp
Configures noproxy-arp CLIs.

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(16)

Plugin: Cisco_Firepower

Control ID: dfe7309009f79eec3955cabb736a82907df1a542b9adf395d08e1af5c18c07ea