https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20247#M1554 <HTML><HEAD></HEAD><BODY><P>Isnt some stats included in <STRONG>$FWDIR/state/local/FW1/local.set </STRONG>? How cpview (SecureXL) knows how many packets were dropped because of anti-spoofing ?</P></BODY></HTML> Mon, 20 Aug 2018 21:23:48 GMT JozkoMrkvicka 2018-08-20T21:23:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20242#M1549 <HTML><HEAD></HEAD><BODY><P>Hello guys,</P><P></P><P>Is there any way how to monitor anti-spoofing traffic in R77.30 ? I know that I can choose Alert, Log or None in spoofing properties for specific interface. But does someone know how to send for example syslog event in case gateway recognize spoofing traffic ? Or send mail ...</P><P>Searching all logs to found "spoofing" word in Information isnt good approach... There must be something on CLI how to check if interface faced spoofing traffic (as it issue log event towards log server).</P><P></P><P>Thanks for every suggestion in advance.</P></BODY></HTML> Sat, 18 Aug 2018 09:52:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20242#M1549 JozkoMrkvicka 2018-08-18T09:52:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20243#M1550 <HTML><HEAD></HEAD><BODY><P>One place you can see anti-spoofing drop packets (albeit not on a specific interface) is cpview.</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69252_pastedImage_1.png" /></P><P></P><P>If you want Alerts to run a script, you can set that in Global Properties (but will apply for anything with Log type set to Alert):</P><P></P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69253_pastedImage_2.png" /></P></BODY></HTML> Sat, 18 Aug 2018 15:18:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20243#M1550 PhoneBoy 2018-08-18T15:18:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20244#M1551 <HTML><HEAD></HEAD><BODY><P>Thanks, I will check that.</P><P>What is default path of that UserDefined script? Or can I use full path of script, like: /var/tmp/testing.sh ?</P></BODY></HTML> Sun, 19 Aug 2018 18:56:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20244#M1551 JozkoMrkvicka 2018-08-19T18:56:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20245#M1552 <HTML><HEAD></HEAD><BODY><P>You can use full path.</P><P>Offhand I am not sure what the default path is for this screen.</P></BODY></HTML> Sun, 19 Aug 2018 23:35:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20245#M1552 PhoneBoy 2018-08-19T23:35:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20246#M1553 <HTML><HEAD></HEAD><BODY><P>I was not managed to get it work <img id="smileysad" class="emoticon emoticon-smileysad" src="https://community.checkpoint.com/i/smilies/16x16_smiley-sad.png" alt="Smiley Sad" title="Smiley Sad" /></P><P>First, I want to test it via specific rule, so I have created new rule with Track: "Alert". My understanding is that the script located in /var/log/test.sh should be executed every time this specific rule is matched.</P><P></P><P>My settings in Global Properties:</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69310_pastedImage_4.png" /></P><P></P><P>According logs, the specific traffic is matched and I also see Alert in logs. The only problem is that it didnt activate the script.</P><P></P><P>I also tried to set Track as "UserDefined" and with this setup, the script was executed.</P><P>Is there any way how to do the same just for Alert (as in Anti-spoofing in R77.30 there are only following options available):</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69311_pastedImage_5.png" /></P></BODY></HTML> Mon, 20 Aug 2018 21:03:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20246#M1553 JozkoMrkvicka 2018-08-20T21:03:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20247#M1554 <HTML><HEAD></HEAD><BODY><P>Isnt some stats included in <STRONG>$FWDIR/state/local/FW1/local.set </STRONG>? How cpview (SecureXL) knows how many packets were dropped because of anti-spoofing ?</P></BODY></HTML> Mon, 20 Aug 2018 21:23:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20247#M1554 JozkoMrkvicka 2018-08-20T21:23:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20248#M1555 <HTML><HEAD></HEAD><BODY><P>As far as I know both of these things should operate exactly the same.</P><P>I would open a TAC case.</P></BODY></HTML> Tue, 21 Aug 2018 02:00:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20248#M1555 PhoneBoy 2018-08-21T02:00:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20249#M1556 <HTML><HEAD></HEAD><BODY><P>Look into&nbsp;<SPAN style="color: #333333; background-color: #fafafa; font-size: 13px;">sk56701, there are some ideas how to make it work. The fact script is not working means there is something wrong with it. Most probably variables.</SPAN></P></BODY></HTML> Tue, 21 Aug 2018 08:22:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20249#M1556 _Val_ 2018-08-21T08:22:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20250#M1557 <HTML><HEAD></HEAD><BODY><P>Hi Valeri,</P><P></P><P>The script is working in case I choose "UserDefined" in Track option for the particular rule.</P><P>In case I want to do the same for "Alert", it will not work.</P><P></P><P>My script looks like:</P><P><IMG class="j-img-floatstart image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69670_pastedImage_1.png" style="float: left;" /></P><P></P><P></P><P></P><P></P><P>My rule looks like (it will not execute script):</P><P><IMG class="image-6 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69690_pastedImage_17.png" /></P><P></P><P>This rule will execute the script:</P><P><IMG class="image-5 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69689_pastedImage_16.png" /></P><P></P><P>And my Alert settings looks like:</P><P><IMG class="jive-image image-4" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69673_pastedImage_5.png" /></P></BODY></HTML> Tue, 21 Aug 2018 20:05:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20250#M1557 JozkoMrkvicka 2018-08-21T20:05:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20251#M1558 <HTML><HEAD></HEAD><BODY><P><A href="https://community.checkpoint.com/migrated-users/2075">Dameon Welch Abernathy</A>‌ <A href="https://community.checkpoint.com/migrated-users/2138">Valeri Loukine</A>‌ issue solved with following configuration of Alerts in Global Properties:</P><P><IMG __jive_id="69691" class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69691_pastedImage_1.png" /></P><P></P><P>So now my final question is:</P><P>How can I simulate Address Spoofing for interface&nbsp;eth1.50 with subnet 10.20.30.0/24 to see if this is really working&nbsp;in case I will select Alert in Anti-Spoofing Tracking option ?</P><P></P><P>NOTE: I am running internal LAB in VMware, so I can do (almost) everything&nbsp;<img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 21 Aug 2018 20:23:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20251#M1558 JozkoMrkvicka 2018-08-21T20:23:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20252#M1559 <HTML><HEAD></HEAD><BODY><P>Create a VM with the desired address and try to ping "through" the firewall?</P><P>You'll probably have to muck with the routing/ARP tables to make it work right.</P></BODY></HTML> Tue, 21 Aug 2018 22:40:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20252#M1559 PhoneBoy 2018-08-21T22:40:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20253#M1560 <HTML><HEAD></HEAD><BODY><P>easy, configure anti-spoofing manually and exclude some parts of your network attached to this interface. Link, instead of /24 do less than that.&nbsp;</P></BODY></HTML> Wed, 22 Aug 2018 08:44:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20253#M1560 _Val_ 2018-08-22T08:44:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20254#M1561 <HTML><HEAD></HEAD><BODY><P>That must be true. "Run popup alert script" means the binary is under $FWDIR/bin. If it is not, it is qualified as a "User defined alert"</P></BODY></HTML> Fri, 24 Aug 2018 08:22:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20254#M1561 _Val_ 2018-08-24T08:22:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20255#M1562 <HTML><HEAD></HEAD><BODY><P>Hello Jozko,</P><P></P><P>Was you able to perform this. Even I want to perform anti spoofing lab in vmware. Don't know howto do it.</P></BODY></HTML> Thu, 06 Dec 2018 21:06:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20255#M1562 Rohit_Gandas 2018-12-06T21:06:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20256#M1563 <HTML><HEAD></HEAD><BODY><P>No, I was not able to simulate antispoofing traffic <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P></BODY></HTML> Fri, 07 Dec 2018 17:08:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20256#M1563 JozkoMrkvicka 2018-12-07T17:08:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20257#M1564 <HTML><HEAD></HEAD><BODY><P>I was able to.</P><P>Have a loom at this article i made on anti spoofing.</P></BODY></HTML> Fri, 07 Dec 2018 17:37:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Monitoring-of-Anti-Spoofing-traffic/m-p/20257#M1564 Rohit_Gandas 2018-12-07T17:37:08Z