topic Re: Show Address Spoofing Networks via CLI in Scripts

Show AntiSpoofing Networks via CLI

HeikoAnkenbrand — Thu, 30 Oct 2025 21:41:16 GMT

This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.

Last version from 30-10-2025- command:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -n| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -n| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -n| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -n| uniq |tr \<\>\:\" \ ;echo " "'

Now you can see the states of:

- ANTISPOOFING ENABLED
- ANTISPOOFING MODE
- ANTISPOOFING TOPO

Here is a demo video:

(view in My Videos)

Re: Show Address Spoofing Networks via CLI

Petra_Angelmahr — Sat, 23 Jun 2018 08:25:17 GMT

Hi Heiko,

It's a very nice command.

Perhaps this can be extended even further:
ethtool settings - speed, duplex,...

Re: Show Address Spoofing Networks via CLI

Ulf_Wegner — Sat, 23 Jun 2018 08:54:47 GMT

Nice command!

Re: Show Address Spoofing Networks via CLI

Silvia_Day — Sat, 23 Jun 2018 09:20:16 GMT

Hi Heiko,

I've been looking for this for years.

Thanks, I'll give you a badge.

THX

Silvia

Re: Show Address Spoofing Networks via CLI

Kan_Torres — Sun, 24 Jun 2018 16:14:56 GMT

This one-liner is very helpful. Can you also add routes for the interface? This makes it easier to see which networks are missing.

Re: Show Address Spoofing Networks via CLI

Til_Hall — Mon, 25 Jun 2018 05:49:19 GMT

Nice

Re: Show Address Spoofing Networks via CLI

HeikoAnkenbrand — Mon, 25 Jun 2018 12:33:22 GMT

Thanks to Danny Jung (One-liner for Address Spoofing Troubleshooting) for the inspiration and to Timothy Hall (CLI Anti-Spoofing Information ) for the infos.

THX

Heiko

Re: Show Address Spoofing Networks via CLI

Nuno_Thome — Tue, 26 Jun 2018 11:28:46 GMT

Is ist possible to add more interface settings:

- ethtool speed, duplex, driver,...

- routes

...

Re: Show Address Spoofing Networks via CLI

Regi_Suhm — Fri, 29 Jun 2018 08:20:31 GMT

Nice!

Re: Show Address Spoofing Networks via CLI

Udo_Struess — Mon, 02 Jul 2018 13:30:49 GMT

Nice command.

Re: Show Address Spoofing Networks via CLI

Ukko_Metsola — Mon, 23 Jul 2018 07:15:32 GMT

LOL - Nice command.

Re: Show Address Spoofing Networks via CLI

Timothy_Hall — Tue, 23 Oct 2018 13:21:08 GMT

Glad to see such a great tool. Also wanted to mention this SK detailing a situation in which performing a "Get Interfaces WITHOUT Topology" will change the antispoofing state from Disabled to Enabled (with Prevent) on firewall interfaces! Needless to say this can result in some unexpected issues:

sk136372: Get Interfaces without topology resets anti-spoofing to Enabled/Prevent

This may necessitate disabling gateway anti-spoofing enforcement "on the fly" as detailed in my presentation here:

Best of CheckMates CLI

The fix for this issue was rolled into R80.10 GA Jumbo HFA 154:

R80.10: New Jumbo Hotfix (Take 154) GA-Release

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: Show Address Spoofing Networks via CLI

Kaspars_Zibarts — Mon, 19 Nov 2018 13:18:00 GMT

Hey buddy. Was this tested with R77.30 as well or just R80.10? On one of my old clusters that runs R77.30 it returned ton of false results as it greps too far when looking for spoofing subnets. Maybe worth adding a note if it only works or was tested on R80.10 Or even better, doesn't run on R77.30

To give you an example

but with the current command following 30 lines you will get 2 extra subnets reported:

reducing grep search to 25 lines helps but I'm not too sure how would it behave in case you had very long list of subnets

might need to re-think the approach for filtering those subnets

Re: Show Address Spoofing Networks via CLI

Kaspars_Zibarts — Mon, 19 Nov 2018 13:36:39 GMT

Also Mgmt interface may return a lot of rubbish as it may match string "Mgmt" in the file, it's a fairly common string

Better is to add leading bracket

Re: Show Address Spoofing Networks via CLI

Kaspars_Zibarts — Mon, 19 Nov 2018 13:38:40 GMT

Much better! I though there was another one but this one came as top search...

Re: Show Address Spoofing Networks via CLI

Kaspars_Zibarts — Mon, 19 Nov 2018 18:53:50 GMT

I had it on some but not this particular cluster

Re: Show Address Spoofing Networks via CLI

Sven_Glock — Wed, 05 Dec 2018 09:30:54 GMT

Very nice one-liner! Thumbs up!

Is there a chace to move R&D to implement a simple command for this?

Re: Show Address Spoofing Networks via CLI

Austin_Packer2 — Thu, 28 Feb 2019 20:00:25 GMT

Great command, certainly very useful.

As an aside, can either this command be adapted, or is there an alternative for pulling this information from a VS or VR on VSX? I am right in thinking the local.set file contains only the interface configuration for the VSX GW and not the VRs or VSs.

Thanks,

Re: Show Address Spoofing Networks via CLI

Kaspars_Zibarts — Fri, 01 Mar 2019 09:59:37 GMT

Hi, I prefer using Danny Jung one-liner for getting spoofing info. So it will work on any VS as long as you set vsenv x environment beforehand manually

echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed 'N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed 'N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed 'N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed 'N;s/\nexternal false/ - Internal Interface/;P;D' | sed 'N;s/\nexternal true/ - External Interface/;P;D' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed 'N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'

Re: Show Address Spoofing Networks via CLI

Austin_Packer2 — Fri, 01 Mar 2019 10:35:48 GMT

Thanks Kaspars.

I did have the vsenv set to the correct environment, but I was running Danny Jungs CCC script, and running the command through there, which must default to the VS 0.

Works a treat when ran directly. Thanks!