Skip to content

Neighbors (ARP–NDP)

Sophos Firewall uses the Address Resolution Protocol (ARP) and Neighbor Discover Protocol (NDP) to enable communication between hosts residing on the same subnet. It uses these protocols to create IP/MAC mappings and stores them in neighbor caches. Static mappings are also supported. The firewall uses cached entries to detect neighbor poisoning attempts.

ARP is used for discovering the link layer address (MAC address) associated with an IPv4 address. Hosts find the physical address of other hosts by sending an ARP query packet that includes the IP address of the receiver. When the response is returned, the firewall updates the neighbor cache with the corresponding MAC address. To minimize the broadcast traffic, the firewall reuses previously learned IP/MAC mappings. NDP provides similar functionality for IPv6 addresses.


The default timeout for ARP and NDP requests is 600 seconds (10 minutes).

Dynamic neighbor entries are learned entries and are updated dynamically.

  • To view a neighbor cache, select IPv4 neighbor cache or IPv6 neighbor cache from the Show list.

Neighbor caches persist until they are flushed. Flushing the caches allows new information (for example, a changed IP address) to be learned and stored in the caches.

  • To specify the interval at which the caches are automatically flushed, type a value for the Neighbor cache entry timeout and click Apply.
  • To manually flush a cache, select a cache from the Show list and click Flush.

Static neighbor entries are defined and updated manually. A static neighbor entry allows you to bind a MAC address to an IP address and port. Once the MAC address is bound to a port and IP address, the firewall will remove any dynamically cached references to that IP address, and will not allow additional static mappings of that IP address. The firewall will not respond to that IP/MAC pair on any other port.

  • To view static neighbor entries, select Static neighbor table from the Show list.
  • To add a static entry, click Add.

The firewall performs the neighbor lookup in the static neighbor table when it receives the request on a specific port. If an entry is not available in the table, the firewall will check the neighbor caches and add the MAC address if required.

When the firewall performs the neighbor lookup in the static neighbor table, if there is any mismatch in an IP address or MAC address, the firewall considers it as a neighbor poisoning attempt and does not update the neighbor cache.

  • To record possible poisoning attempts, select the Log possible neighbor poisoning attempts check box and click Apply.


    You can view ARP poisoning attempts in the CLI console with the drop-packet-capture command. See drop-packet-capture.

Neighbor poisoning

In the following example, IP1 is mapped to MAC1 and the IP1/MAC1 pair is bound to port A. Similarly, IP2 is mapped to MAC1 and the IP2/MAC1 pair is bound to port A.

IP address MAC address Port Neighbor poisoning attempt?
IP1 MAC1 Any other port than A Yes
IP1 MAC2 A Yes
IP1 MAC2 Any other port than A Yes
IP3 MAC1 No static ARP No
IP2 MAC1 Any other port than A Yes