https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276811#M105333 <P><STRONG>Environment</STRONG></P> <UL> <LI>R82 Management High Availability (Management-HA)</LI> <LI>Two geographically separated offices: <STRONG>Office A</STRONG> and <STRONG>Office B</STRONG></LI> </UL> <P><STRONG>Topology<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="network.png" style="width: 629px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/34229i891EB7DFB7340CC5/image-size/large?v=v2&amp;px=999" role="button" title="network.png" alt="network.png" /></span><BR /></STRONG></P> <P><STRONG>Issue description</STRONG></P> <P>Log forwarding works correctly when traffic stays local:</P> <UL> <LI>GW-A → Mgmt-A: <STRONG>OK</STRONG></LI> <LI>GW-B → Mgmt-B: <STRONG>OK</STRONG></LI> </UL> <P>However, as soon as a gateway sends logs to the management server in the <EM>other</EM> site, an <STRONG>address spoofing error for FW_Log</STRONG> is triggered:</P> <UL> <LI>GW-A → Mgmt-B: <STRONG>Spoofing error</STRONG></LI> <LI>GW-B → Mgmt-A: <STRONG>Spoofing error</STRONG></LI> </UL> <P>The root cause appears to be that each gateway uses the same source IP regardless of which log server it targets. When the log packet traverses the inter-site link and arrives at the remote gateway, the source IP belongs to the wrong network segment, causing the receiving gateway to flag it as spoofed.</P> <HR /> <P><STRONG>What I have tried / investigated</STRONG></P> <UL> <LI><CODE>$FWDIR/conf/masters</CODE> — this file controls which log servers a gateway forwards to (the <EM>destination</EM>), but it does not provide a way to specify which <EM>source IP</EM> the gateway should use when initiating the log connection.</LI> <LI>We would prefer to <STRONG>avoid NAT</STRONG> if at all possible.</LI> </UL> <HR /> <P><STRONG>Question</STRONG></P> <P>Is there a supported method in R82 to control the source IP a gateway uses when sending logs to a specific log server?</P> <P>For example, GW-A has multiple interfaces. When it sends logs to Mgmt-B across the WAN, is there a way to tell it to use a specific interface IP as the source — similar to how you can pin a source interface for other connections?</P> <P>Any pointers to sk articles, CLI parameters, or configuration files would be greatly appreciated.</P> Mon, 11 May 2026 22:30:29 GMT Danny 2026-05-11T22:30:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276811#M105333 <P><STRONG>Environment</STRONG></P> <UL> <LI>R82 Management High Availability (Management-HA)</LI> <LI>Two geographically separated offices: <STRONG>Office A</STRONG> and <STRONG>Office B</STRONG></LI> </UL> <P><STRONG>Topology<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="network.png" style="width: 629px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/34229i891EB7DFB7340CC5/image-size/large?v=v2&amp;px=999" role="button" title="network.png" alt="network.png" /></span><BR /></STRONG></P> <P><STRONG>Issue description</STRONG></P> <P>Log forwarding works correctly when traffic stays local:</P> <UL> <LI>GW-A → Mgmt-A: <STRONG>OK</STRONG></LI> <LI>GW-B → Mgmt-B: <STRONG>OK</STRONG></LI> </UL> <P>However, as soon as a gateway sends logs to the management server in the <EM>other</EM> site, an <STRONG>address spoofing error for FW_Log</STRONG> is triggered:</P> <UL> <LI>GW-A → Mgmt-B: <STRONG>Spoofing error</STRONG></LI> <LI>GW-B → Mgmt-A: <STRONG>Spoofing error</STRONG></LI> </UL> <P>The root cause appears to be that each gateway uses the same source IP regardless of which log server it targets. When the log packet traverses the inter-site link and arrives at the remote gateway, the source IP belongs to the wrong network segment, causing the receiving gateway to flag it as spoofed.</P> <HR /> <P><STRONG>What I have tried / investigated</STRONG></P> <UL> <LI><CODE>$FWDIR/conf/masters</CODE> — this file controls which log servers a gateway forwards to (the <EM>destination</EM>), but it does not provide a way to specify which <EM>source IP</EM> the gateway should use when initiating the log connection.</LI> <LI>We would prefer to <STRONG>avoid NAT</STRONG> if at all possible.</LI> </UL> <HR /> <P><STRONG>Question</STRONG></P> <P>Is there a supported method in R82 to control the source IP a gateway uses when sending logs to a specific log server?</P> <P>For example, GW-A has multiple interfaces. When it sends logs to Mgmt-B across the WAN, is there a way to tell it to use a specific interface IP as the source — similar to how you can pin a source interface for other connections?</P> <P>Any pointers to sk articles, CLI parameters, or configuration files would be greatly appreciated.</P> Mon, 11 May 2026 22:30:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276811#M105333 Danny 2026-05-11T22:30:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276812#M105334 <P>This looks like an asymmetric routing issue on the network path between A and B. &nbsp;You can also update the incoming interface on each gateway to "not check packets from" ... and select a group object containing the gateway in question.</P> <P>When FWD fires up and initiates the connection to the log server, it binds to the interface closest to said gateway. &nbsp;It will use this interface until FWD is restarted. &nbsp;This will explain why the source is always "that" IP on the gateway. There's also a logging_worker process in (at least R82.10) that I believe handles the log forwarding when gateways become disconnected.</P> <P>If you can afford it, and you can induce a log server failover, SSH into the problematic gateway and restart FWD manually to see if the source IP changes on a new process. &nbsp;That'll give you the answer. &nbsp;Then do the "don't check packets from" config.</P> <P>&nbsp;</P> Mon, 11 May 2026 23:38:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276812#M105334 Duane_Toler 2026-05-11T23:38:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276821#M105337 <P><EM>"Don't check packets from"</EM>&nbsp;only applies to external interfaces.<BR />Check Point fixed it by itself automagically by switching to another source IP:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FW1_log_spoof.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/34232i0A1126EA19D27703/image-size/large?v=v2&amp;px=999" role="button" title="FW1_log_spoof.png" alt="FW1_log_spoof.png" /></span></P> Tue, 12 May 2026 06:40:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276821#M105337 Danny 2026-05-12T06:40:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276824#M105339 <P>This is MDS but they refer only to a NAT solution:</P> <P><A href="https://support.checkpoint.com/results/sk/sk181701" target="_blank">https://support.checkpoint.com/results/sk/sk181701</A></P> <P>But if you are going to do NAT you will get new issues like:</P> <P><A href="https://support.checkpoint.com/results/sk/sk163415" target="_blank">https://support.checkpoint.com/results/sk/sk163415</A></P> <P><A href="https://support.checkpoint.com/results/sk/sk171665" target="_blank">https://support.checkpoint.com/results/sk/sk171665</A></P> <P>If issues occurs again, after a restart I would still look into above NAT solution / SK's.&nbsp;</P> Tue, 12 May 2026 07:09:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276824#M105339 Lesley 2026-05-12T07:09:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276846#M105351 <P>Excellent.. so FWD worked itself out after a time. &nbsp;Certainly not "the best" situation, but good that it does adjust. &nbsp;If this is R82 and lower, you might want to look into the log-forwarding configuration to have the gateway send over its disconnected logs to the management on an interval. &nbsp;R82.10 has this enabled by default now (yay!).</P> <P>&nbsp;</P> Tue, 12 May 2026 13:07:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276846#M105351 Duane_Toler 2026-05-12T13:07:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276847#M105352 <P>Thats true, only applies to external interface though.</P> Tue, 12 May 2026 13:19:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-HA-Address-spoofing-error-for-FW-Log-when-gateway/m-p/276847#M105352 the_rock 2026-05-12T13:19:34Z