https://community.checkpoint.com/t5/Firewall-and-Security-Management/Topology-defined-by-routes-limitation/m-p/116746#M16479 <P>Hello,</P><P>R80.40 environment.</P><P>I have one network 10.10.48.0/20 statically routed to a DMZ. A (more) specific subnet (10.10.60.0/24) from this network is routed to the external Interface.</P><P>Most of the other interfaces topology are defined by an object group.</P><P>Return packages from to the external interface are dropped by anti spoofing.</P><P>Is this an expected behavior, like no splitting of the /20 takes place internally?</P><P>Overall I wonder how topology information ist merged and processed when one has multiple route information sources, like defined by routes, objects and interfaces.</P><P>Anyway fix for the above was a group with exclusion, but for me it was a bit of an unexpected behavior, that's why I'm asking.</P><P>Cheers</P><P>Christoph</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 24 Apr 2021 11:04:13 GMT Christoph 2021-04-24T11:04:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Topology-defined-by-routes-limitation/m-p/116746#M16479 <P>Hello,</P><P>R80.40 environment.</P><P>I have one network 10.10.48.0/20 statically routed to a DMZ. A (more) specific subnet (10.10.60.0/24) from this network is routed to the external Interface.</P><P>Most of the other interfaces topology are defined by an object group.</P><P>Return packages from to the external interface are dropped by anti spoofing.</P><P>Is this an expected behavior, like no splitting of the /20 takes place internally?</P><P>Overall I wonder how topology information ist merged and processed when one has multiple route information sources, like defined by routes, objects and interfaces.</P><P>Anyway fix for the above was a group with exclusion, but for me it was a bit of an unexpected behavior, that's why I'm asking.</P><P>Cheers</P><P>Christoph</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 24 Apr 2021 11:04:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Topology-defined-by-routes-limitation/m-p/116746#M16479 Christoph 2021-04-24T11:04:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Topology-defined-by-routes-limitation/m-p/116747#M16480 <P>It’s possible this is a limitation similar to the fact we don’t take into account route priorities.&nbsp;</P> Sat, 24 Apr 2021 16:34:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Topology-defined-by-routes-limitation/m-p/116747#M16480 PhoneBoy 2021-04-24T16:34:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Topology-defined-by-routes-limitation/m-p/117005#M16504 <P>PhoneBoy is right, unfortunately.</P> <P>There was a discussion about this topic about a year ago (initiated by me):</P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/Security-Flaw-in-Dynamic-Anti-Spoofing-R80-20-and-above/m-p/89035" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/Security-Flaw-in-Dynamic-Anti-Spoofing-R80-20-and-above/m-p/89035</A></P> <P>Unfortunatly, <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/2480">@Meital_Natanson</a> told us, they do not want to fix that and call it expected behavior.</P> <P>Bad decision from my point of view, there is even a "Best current practice" RFC#3704 from 2004 for that.</P> <P>Like another Checkmates member said in the thread linked above:</P> <P>"It would be great if Check Point made plans to follow the RFC, rather than a loose interpretation of it" <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 27 Apr 2021 09:40:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Topology-defined-by-routes-limitation/m-p/117005#M16504 Tobias_Moritz 2021-04-27T09:40:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Topology-defined-by-routes-limitation/m-p/117011#M16505 <P>Thank you both of you. I checked your thread. From my (maybe naive) point of view, if there is an option in the UI, my general expectation is, it should also cover edge cases, as long as I can configure them, like in this case click a button. Other than that there should be a big warning sign, that this only works in certain environments.</P><P>Same with the new custom vpn topologies, that do some weird network calculations.</P> Tue, 27 Apr 2021 10:23:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Topology-defined-by-routes-limitation/m-p/117011#M16505 Christoph 2021-04-27T10:23:20Z