Local interface address spoofing

Matthias_Honold — Fri, 24 Jul 2020 11:39:55 GMT

Hello,

We ve got an issue with "Local interface address spoofing" on a Cloudguard GW.

We're running a Monitoring Solution which sends ping and snmp requests to Cloudguard Management Network.
This issue occors only for the GW which resides on the same ESXi Host where the Monitoring Solution is running. Other Cloudguard GWs can be reached without any issue. If the monitoring solution is migrated to a different ESXi Host the problem also occures on the new ESXi Host. In fw monitor I can see that traffic is hitting eth2 interface which it shouldn't. We're on the latest Patchlevel for Cloudguard on NSX-V.

I found sk105899, but im not sure if it's applicable.

How can we fix this?

Best Regards

Re: Local interface address spoofing

Matthias_Honold — Wed, 29 Jul 2020 16:52:30 GMT

There are no dublicate IPs, no Hubs. Could it be a routing issue in NSX-V?

Monitoring VM: 10.20.10.1

Cloudguard GW: 10.10.10.1

Traffic hits eth2 which hasn't an IP assigned

[Expert@serviceinstance-2-xyz123:0]# fw monitor -e 'accept (src=10.10.10.1 and dst=10.20.10.1) or (src=10.20.10.1 and dst=10.10.10.1);' -m iO
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)

[vs_0][fw_0] eth2:x[51]: 10.20.10.1 -> 10.10.10.1 (ICMP) len=51 id=9526
ICMP: type=8 code=0 echo request id=583 seq=25661
[vs_0][fw_0] eth2:i[51]: 10.20.10.1 -> 10.10.10.1 (ICMP) len=51 id=9526
ICMP: type=8 code=0 echo request id=583 seq=25661
[vs_0][fw_0] eth2:O[51]: 10.20.10.1 -> 10.10.10.1 (ICMP) len=51 id=9526
ICMP: type=8 code=0 echo request id=583 seq=25661
[vs_0][fw_0] eth2:X[51]: 10.20.10.1 -> 10.10.10.1 (ICMP) len=51 id=9526
ICMP: type=8 code=0 echo request id=583 seq=25661
[vs_0][fw_0] eth0:x[51]: 10.20.10.1 -> 10.10.10.1 (ICMP) len=51 id=9526
ICMP: type=8 code=0 echo request id=583 seq=25661
[vs_0][fw_0] eth0:i[51]: 10.20.10.1 -> 10.10.10.1 (ICMP) len=51 id=9526
ICMP: type=8 code=0 echo request id=583 seq=25661

[Expert@serviceinstance-2-xyz123:0]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:56:b1:fb:de brd ff:ff:ff:ff:ff:ff
inet 10.10.10.1/24 brd 10.129.34.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:50:56:b1:f7:b1 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:56:b1:1a:49 brd ff:ff:ff:ff:ff:ff
5: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether 00:50:56:b1:1a:49 brd ff:ff:ff:ff:ff:ff

topic Re: Local interface address spoofing in Cloud Firewall

Local interface address spoofing

Re: Local interface address spoofing

Re: Local interface address spoofing