topic Re: CLI Anti-Spoofing Information in Firewall and Security Management

CLI Anti-Spoofing Information

Bryce_Myers — Thu, 30 Nov 2017 19:34:46 GMT

Does anyone know of a way to see your anti-spoofing configuration per interface on the CLI?

Basically --

Anti-Spoofing is Enabled (y/n)
Anti-Spoofing Action (Detect/Prevent)

Re: CLI Anti-Spoofing Information

Pablo_Barriga — Fri, 01 Dec 2017 14:28:14 GMT

Hello for each interface in the topology you can set the anti-spoofing.

Re: CLI Anti-Spoofing Information

Timothy_Hall — Fri, 01 Dec 2017 14:50:57 GMT

Firewall CLI or R80+ SMS CLI?

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: CLI Anti-Spoofing Information

Bryce_Myers — Fri, 01 Dec 2017 14:55:41 GMT

Firewall CLI at the moment.

Re: CLI Anti-Spoofing Information

Bryce_Myers — Fri, 01 Dec 2017 14:56:44 GMT

Yes - I know it can be done in the GUI.

I want to know if anyone has found a way to check it on the local gateway. The GUI is currently very time consuming to audit, but scripting to gateways is very simple.

I'm guessing since its part of the policy, it won't be super easy to find on the local gateway.

Re: CLI Anti-Spoofing Information

Bryce_Myers — Fri, 01 Dec 2017 15:09:40 GMT

I think there is an opportunity to leverage GUIDBedit from the management CLI to look at the policy, but even if its changed in the policy - if it hasn't been deployed, the gateway doesn't actually have the anti-spoofing settings.

Re: CLI Anti-Spoofing Information

Pablo_Barriga — Fri, 21 Jun 2019 09:05:54 GMT

Hello Bryce I think this info should be useful

fw ctl set int fw_antispoofing_enabled 0
sim feature anti_spoofing off ; fwaccel off ; fwaccel on

fw ctl set int fw_antispoofing_enabled 1
sim feature anti_spoofing on ; fwaccel off ; fwaccel on

This was posted on the https://community.checkpoint.com/thread/5319-my-top-3-check-point-cli-commands

Re: CLI Anti-Spoofing Information

Bryce_Myers — Fri, 01 Dec 2017 15:39:06 GMT

Isn't that just a global anti-spoofing setting? I can't tell what the configuration per interface is.

Re: CLI Anti-Spoofing Information

Timothy_Hall — Sat, 02 Dec 2017 00:45:57 GMT

I don't think there is a direct way to pull this info from the running firewall kernel (I originally thought it could be provided by the sim ranges command), but what you can do is first run fw ctl iflist on the firewall to get the list of interfaces, and then view (not edit!) the firewall's $FWDIR/state/local/FW1/local.set file. In that file you will find a section called "if_info" and under that "objtype (gw)" and then an indented list of firewall interfaces. Under each firewall interface you will see two values:

has_addr_info (true|false)

true: antispoofing enabled on that interface

false: antispoofing is disabled on that interface

monitor_only (true|false)

true: antispoofing action is Detect on that interface

false: antispoofing action is Prevent on that interface

I'm sure someone could script something to pull this info out of the file a bit easier...

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: CLI Anti-Spoofing Information

Bryce_Myers — Sat, 02 Dec 2017 20:07:18 GMT

Tim - this is great information! I'm going to build a script to check for these settings on the gateway.

Re: CLI Anti-Spoofing Information

PhoneBoy — Sun, 03 Dec 2017 16:43:11 GMT

Looking on my R80.10 gateway, for each interface, I also see interface_topology which tells you what subnets are "valid" on a given interface (assuming that's useful to your task).

Re: CLI Anti-Spoofing Information

Timothy_Hall — Mon, 04 Dec 2017 15:17:06 GMT

Yep that same $FWDIR/state/local/FW1/local.set on the firewall does show the calculated network topology for each interface as well as the anti-spoofing settings. Could definitely be handy if there are lots of nested groups specified in the anti-spoofing settings that makes figuring out the actual topology (and resulting anti-spoofing enforcement) difficult from the SmartDashboard/SmartConsole.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: CLI Anti-Spoofing Information

HeikoAnkenbrand — Mon, 25 Jun 2018 12:36:30 GMT

Look at this article:

Show Address Spoofing Networks via CLI

Regards

Heiko

Re: CLI Anti-Spoofing Information

Kris_Pellens — Mon, 08 Oct 2018 12:44:08 GMT

Hello Pablo,

How can we disable anti spoofing from command line in R80.20?

In R80.20 GA the following command has been removed:

sim feature anti_spoofing off

[Expert@pa:0]# sim feature anti_spoofing off

Command 'sim feature' has been replaced. Use 'fwaccel feature' instead.

[Expert@pa:0]# fwaccel feature anti_spoofing off
Invalid feature 'anti_spoofing'
Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

Any suggestions?

Many thanks.

Kind regards,

Kris