A customer's IoT devices, such as cameras, are deployed outdoors. To prevent malicious personnel from accessing the intranet, it is necessary to block devices that attempt to impersonate access.

Step 1.Navigate to SOC > IoT Security > Asset Discovery. In the Identification Method section, select Enable endpoint traffic identification or Enable active endpoint scan to identify the corresponding trusted assets.

Step 2.Go to Policies > Network Security > Spoofed Access, select Enable spoofed access detection, then select the Block option, as shown below:

Step 3.After the asset discovery identifies the camera asset, unplug the camera's network cable and connect it to a PC with the same IP address as the camera. After waiting for a while, check the asset list and security log. You can see that the MAC address of the spoofed access detected has changed, and the action is Deny.

Step 4.To remove the block, go to SOC > Blacklist/Whitelist > Blacklist > Temporary Blacklist, then select the IP and click the Delete button.

If Sangfor Network Secure is deployed in single-arm bypass mode, and you want to block spoofed behavior endpoints, you have to turn on the Send a TCP reset message to deny a request option in System > General Settings > Network.