Limitations and Precautions for Network Deception

Hardware Requirements

Only the USG6635E/6655E, USG6680E, and USG6712E/6716E do not support DecoySensors.

License Requirement

DecoySensors are not license-controlled.

Restrictions

• DecoySensors cannot detect the scanning of the network segment where the secondary IP address of an interface resides.

• If a subnet has multiple DecoySensors, one of them is automatically elected as the master DecoySensor to detect IP address scanning.

• If a subnet has multiple DecoySensors, a new master DecoySensor will be elected within 10 minutes after the original master DecoySensor stops working.

• The DecoySensors cannot be switched along with a VRRP group. Therefore, VRRP group addresses cannot serve as source addresses to connect to Decoys.

• When the DecoySensor detects IP address scanning, it needs to access the VLAN of the switch. The interface connecting the switch to the DecoySensor must meet the following requirements:

  • If DHCP Snooping, IPSG, DAI, or EAI is enabled on the switch, dhcp snooping trusted must be configured on the interface.

  • undo port-security enable must not be run on the interface to enable port security.

• For the traffic that has NAT implemented, if only source NAT is performed on such traffic, DecoySensors do not detect the scanning behavior.
• DecoySensors do not deceive the traffic of services that are not supported by Decoys.
• When FW functions as a DecoySensor, the management interface cannot be used for deception.