https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83191#M11408 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/18838">@Roy_Smith</a>&nbsp;</P> <P>I think it's R80.30. I could see these problems with several other gateways.&nbsp;Here the TAC is also involved.</P> <P>1) Are your office mode addresses of IP spoofing used for internal interfaces?&nbsp;This may also cause this error.</P> <P>2)&nbsp;Is IP spoofing active for the office mode pool?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="case1.JPG" style="width: 843px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5794i53CF52283088D96F/image-size/large?v=v2&amp;px=999" role="button" title="case1.JPG" alt="case1.JPG" /></span></P> <P>3) Or set don't check packets from:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="case2.JPG" style="width: 654px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5796i752DD0E9234C8999/image-size/large?v=v2&amp;px=999" role="button" title="case2.JPG" alt="case2.JPG" /></span></P> <P><FONT color="#FF0000">Emergency solution:</FONT></P> <P>From my point of view, change to detect mode of IP spoofing on the <STRONG>external</STRONG> interface is not very security relevant.</P> <P>Why! All internet IP addresses are allowed here. Private addresses 10.x.x.x, 192.168.x.x, ... are not routed in the internet.&nbsp;If you now drop IP addresses from 224.0.0.0-255.255.255.254, you are reasonably safe.&nbsp;But keep in mind that you have to activate certain multicast IPs (for example HSRP, VRRP,...).&nbsp;But you should also allow 255.255.255.255 in individual cases.</P> <P>I think the solution is not nice, but you can live with it.</P> <P>Then you can analyze the issues.&nbsp;The goal should be to enable IP spoofing again.</P> Sun, 26 Apr 2020 09:43:28 GMT HeikoAnkenbrand 2020-04-26T09:43:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83185#M11404 <P>Hi</P><P>We have a VSX cluster with a VS for Remote Access. Since our staff now work from home, there is a requirement to allow support staff to use SCCM Remote Control. This is set to connect from an office PC or server out to a Remote Access VPN user.&nbsp;</P><P>After trying various things to get this to work, as a last resort I disabled anti-spoofing on the external interface. Once done, RC worked absolutely fine.&nbsp;</P><P>Leaving this makes me nervous as everything I know says to always have anti-spoofing enabled. So, does disabling it on one interface potentially open us up to more issues?&nbsp;</P><P>Thanks<BR />Roy</P><P>&nbsp;</P> Sun, 26 Apr 2020 06:46:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83185#M11404 Roy_Smith 2020-04-26T06:46:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83187#M11405 Have you tried to add the network you need to connect to externally in the box 'Don't check packets from'? Sun, 26 Apr 2020 08:14:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83187#M11405 Maarten_Sjouw 2020-04-26T08:14:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83189#M11406 <P>Maarten</P><P>Yes, I have tried putting the VPN subnets in the box and I also tried the internal subnets the VPN clients try to connect with no success. I have messed about with various settings in our anti-spoofing group and encryption domain, again with no success.&nbsp;</P><P>Roy</P> Sun, 26 Apr 2020 08:35:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83189#M11406 Roy_Smith 2020-04-26T08:35:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83191#M11408 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/18838">@Roy_Smith</a>&nbsp;</P> <P>I think it's R80.30. I could see these problems with several other gateways.&nbsp;Here the TAC is also involved.</P> <P>1) Are your office mode addresses of IP spoofing used for internal interfaces?&nbsp;This may also cause this error.</P> <P>2)&nbsp;Is IP spoofing active for the office mode pool?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="case1.JPG" style="width: 843px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5794i53CF52283088D96F/image-size/large?v=v2&amp;px=999" role="button" title="case1.JPG" alt="case1.JPG" /></span></P> <P>3) Or set don't check packets from:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="case2.JPG" style="width: 654px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5796i752DD0E9234C8999/image-size/large?v=v2&amp;px=999" role="button" title="case2.JPG" alt="case2.JPG" /></span></P> <P><FONT color="#FF0000">Emergency solution:</FONT></P> <P>From my point of view, change to detect mode of IP spoofing on the <STRONG>external</STRONG> interface is not very security relevant.</P> <P>Why! All internet IP addresses are allowed here. Private addresses 10.x.x.x, 192.168.x.x, ... are not routed in the internet.&nbsp;If you now drop IP addresses from 224.0.0.0-255.255.255.254, you are reasonably safe.&nbsp;But keep in mind that you have to activate certain multicast IPs (for example HSRP, VRRP,...).&nbsp;But you should also allow 255.255.255.255 in individual cases.</P> <P>I think the solution is not nice, but you can live with it.</P> <P>Then you can analyze the issues.&nbsp;The goal should be to enable IP spoofing again.</P> Sun, 26 Apr 2020 09:43:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83191#M11408 HeikoAnkenbrand 2020-04-26T09:43:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83338#M11409 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21670">@HeikoAnkenbrand</a>&nbsp;</P><P>Your screenshots helped a lot. It turned out that "Perform anti-spoofing on Office Mode addresses" was enabled. I disabled this and re-enabled "Perform anti-spoofing" on the interface and everything works as we want.&nbsp;</P><P>Much happier situation now with anti-spoofing enabled again</P><P>Thanks for the help<BR />Roy</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 27 Apr 2020 13:48:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Anti-spoofing-on-external-interface/m-p/83338#M11409 Roy_Smith 2020-04-27T13:48:53Z