Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JozkoMrkvicka
Mentor
Mentor

Monitoring of Anti-Spoofing traffic

Hello guys,

Is there any way how to monitor anti-spoofing traffic in R77.30 ? I know that I can choose Alert, Log or None in spoofing properties for specific interface. But does someone know how to send for example syslog event in case gateway recognize spoofing traffic ? Or send mail ...

Searching all logs to found "spoofing" word in Information isnt good approach... There must be something on CLI how to check if interface faced spoofing traffic (as it issue log event towards log server).

Thanks for every suggestion in advance.

Kind regards,
Jozko Mrkvicka
15 Replies
PhoneBoy
Admin
Admin

One place you can see anti-spoofing drop packets (albeit not on a specific interface) is cpview.

If you want Alerts to run a script, you can set that in Global Properties (but will apply for anything with Log type set to Alert):

JozkoMrkvicka
Mentor
Mentor

Thanks, I will check that.

What is default path of that UserDefined script? Or can I use full path of script, like: /var/tmp/testing.sh ?

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin

You can use full path.

Offhand I am not sure what the default path is for this screen.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

I was not managed to get it work Smiley Sad

First, I want to test it via specific rule, so I have created new rule with Track: "Alert". My understanding is that the script located in /var/log/test.sh should be executed every time this specific rule is matched.

My settings in Global Properties:

According logs, the specific traffic is matched and I also see Alert in logs. The only problem is that it didnt activate the script.

I also tried to set Track as "UserDefined" and with this setup, the script was executed.

Is there any way how to do the same just for Alert (as in Anti-spoofing in R77.30 there are only following options available):

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin

As far as I know both of these things should operate exactly the same.

I would open a TAC case.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Isnt some stats included in $FWDIR/state/local/FW1/local.set ? How cpview (SecureXL) knows how many packets were dropped because of anti-spoofing ?

Kind regards,
Jozko Mrkvicka
0 Kudos
_Val_
Admin
Admin

Look into sk56701, there are some ideas how to make it work. The fact script is not working means there is something wrong with it. Most probably variables.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Hi Valeri,

The script is working in case I choose "UserDefined" in Track option for the particular rule.

In case I want to do the same for "Alert", it will not work.

My script looks like:

My rule looks like (it will not execute script):

This rule will execute the script:

And my Alert settings looks like:

Kind regards,
Jozko Mrkvicka
0 Kudos
_Val_
Admin
Admin

That must be true. "Run popup alert script" means the binary is under $FWDIR/bin. If it is not, it is qualified as a "User defined alert"

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Dameon Welch AbernathyValeri Loukine‌ issue solved with following configuration of Alerts in Global Properties:

So now my final question is:

How can I simulate Address Spoofing for interface eth1.50 with subnet 10.20.30.0/24 to see if this is really working in case I will select Alert in Anti-Spoofing Tracking option ?

NOTE: I am running internal LAB in VMware, so I can do (almost) everything Smiley Happy

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin

Create a VM with the desired address and try to ping "through" the firewall?

You'll probably have to muck with the routing/ARP tables to make it work right.

_Val_
Admin
Admin

easy, configure anti-spoofing manually and exclude some parts of your network attached to this interface. Link, instead of /24 do less than that. 

0 Kudos
Rohit_Gandas
Participant

Hello Jozko,

Was you able to perform this. Even I want to perform anti spoofing lab in vmware. Don't know howto do it.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

No, I was not able to simulate antispoofing traffic 😕

Kind regards,
Jozko Mrkvicka
0 Kudos
Rohit_Gandas
Participant

I was able to.

Have a loom at this article i made on anti spoofing.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events