Traffic Sentinel makes use of sFlow® to collect Time To Live (TTL) data from devices throughout the network in order to detect routers. Every router changes TTL values and correlating TTL values allows the unauthorized NAT devices to be identified (see Detecting NAT Devices using sFlow ).
When a policy violation occurs, a Security notification is generated:
Drilling down on the critical security status leads to a more detailed description of the notification, showing that an unknown router has been detected:
The MAC address of the newly detected router is 00095B186BDD and it appears to be manufactured by Netgear. The Interface column indicates that the Netgear router connects to the network on interface 72 of switch 172.16.9.13.
Clicking on the Interface link provides additional information about the location of Netgear router.