https://community.checkpoint.com/t5/Firewall-and-Security-Management/Antispoofing-with-dynamic-routing/m-p/138887#M21152 <P>Yes network defined by routes will work fine, the routing table is checked for updates every 1 second and the topology updated accordingly based on this setting:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="update.png" style="width: 695px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14949iDB778C9A55FB649D/image-size/large?v=v2&amp;px=999" role="button" title="update.png" alt="update.png" /></span></P> Wed, 19 Jan 2022 13:02:45 GMT Timothy_Hall 2022-01-19T13:02:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Antispoofing-with-dynamic-routing/m-p/138800#M21115 <P>Hi</P><P>&nbsp;</P><P>For antispoofing config (on R80.30 and R81.10), is it fine to be internal &gt; defined by routes on the OSPF/BGP interfaces?&nbsp; Do routing changes take effect immediately in terms of the antispoofing checks or does it recalculate every X amount of time etc?&nbsp; Any gotcha that we should be aware of?</P><P>&nbsp;</P><P>Thanks</P> Wed, 19 Jan 2022 01:47:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Antispoofing-with-dynamic-routing/m-p/138800#M21115 cem82 2022-01-19T01:47:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Antispoofing-with-dynamic-routing/m-p/138804#M21119 <P>That is exactly how you should have it. I did that for 2 customers and works fine for more than a year now, no issues. For your reference, below is from Smart console doc and this applies literally to any R80+ version:</P> <UL class="listbullet2"> <LI class="listbullet2"><STRONG class="menuoptions">Network defined by routes</STRONG><SPAN>&nbsp;</SPAN>- The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.</LI> </UL> <P><A href="https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.20/SmartConsole_OLH/EN/ZvkmnUK_XluBBIIAw1mF3A2" target="_self">R80.20 smart console guide</A>&nbsp;</P> Wed, 19 Jan 2022 03:10:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Antispoofing-with-dynamic-routing/m-p/138804#M21119 the_rock 2022-01-19T03:10:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Antispoofing-with-dynamic-routing/m-p/138887#M21152 <P>Yes network defined by routes will work fine, the routing table is checked for updates every 1 second and the topology updated accordingly based on this setting:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="update.png" style="width: 695px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14949iDB778C9A55FB649D/image-size/large?v=v2&amp;px=999" role="button" title="update.png" alt="update.png" /></span></P> Wed, 19 Jan 2022 13:02:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Antispoofing-with-dynamic-routing/m-p/138887#M21152 Timothy_Hall 2022-01-19T13:02:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Antispoofing-with-dynamic-routing/m-p/139271#M21248 <P>If you have overlapping routes, you should read my post here:<BR /><A href="https://community.checkpoint.com/t5/Security-Gateways/Security-Flaw-in-Dynamic-Anti-Spoofing-R80-20-and-above/m-p/89035#M11057" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/Security-Flaw-in-Dynamic-Anti-Spoofing-R80-20-and-above/m-p/89035#M11057</A></P> <P>Summary: Check Points implementation of "Antispoofing defined by routes" does not follow the RfC or the normal routing logic (most specific route is taken). It will not block anything needed, but allows more than needed.</P> Mon, 24 Jan 2022 14:43:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Antispoofing-with-dynamic-routing/m-p/139271#M21248 Tobias_Moritz 2022-01-24T14:43:27Z