topic Re: Network Defined by Routes: Anti-Spoofing in Firewall and Security Management

Network Defined by Routes: Anti-Spoofing

SriNarasimha005 — Sat, 06 Aug 2022 09:30:17 GMT

Hi Experts,

I'd like to seek your help in configuring the Anti-spoofing config. We'll be configuring the firewalls (R81.10) in Active/Standby as follows:-

Internet Firewall eth1 (10.0.0.1/30) -> (10.0.0.2/30) Internet Router (Public IP) -> ISP -> Internet

Internet Firewall eth2 (10.2.0.1/30) -> (10.2.0.2/30) Internal Firewall -> Core switch -> Internal Networks

On eth1, as this is a private IP, should I need to just configure the "External (Internet)" or I need to select External (Internet) WITH the Anti-spoofing exceptions of the egress private IP (10.0.0.0/30)

Also, on eth2, should I need to select the "network defined by routes" or I need to manually specify the Internal networks in a network-group?

Note: We've static route (10.0.0.0/8, 172.16.0.0/16) from the Internet-facing firewalls to the Internal firewalls which is further connecting to the Core switches.

Thanks for your support !

Re: Network Defined by Routes: Anti-Spoofing

Chris_Atkinson — Sat, 06 Aug 2022 11:37:44 GMT

The simplest explanation is that if a given source address is expected to communicate from behind a particular interface it needs to be accounted for in its anti-spoofing configuration.

The Network defined by routes option can be helpful in reducing the ongoing manual maintenance of the spoofing configuration (note it doesn't work precisely the same a URPF).

Re: Network Defined by Routes: Anti-Spoofing

SriNarasimha005 — Sat, 06 Aug 2022 15:30:24 GMT

Hi Mate,

Thanks for the reply. But my query is that, should be private IP address of the eth1 be included as an exception or just configuring 'External' interface works like a charm?

Also, since I'm using static route for traffic forwarding towards Internal networks, do I need to add the networks to be accounted for in the network group manually?

I'm of opinion that, 'Network defined by routes' would work for the dynamic routing and would like to get your assistance on the above.

Thanks in advance.

Re: Network Defined by Routes: Anti-Spoofing

_Val_ — Sat, 06 Aug 2022 19:33:51 GMT

Network defined by routes should include dynamic routes as well. By default the system is pulling all kernel routes every second.

Here is where you can check the settings:

Re: Network Defined by Routes: Anti-Spoofing

Chris_Atkinson — Sun, 07 Aug 2022 00:16:59 GMT

I would create an exception for the private network in case there is overlap.

Static & dynamic, note we don't take the priority/rank into consideration here.

Re: Network Defined by Routes: Anti-Spoofing

SriNarasimha005 — Sun, 07 Aug 2022 04:09:47 GMT

Hi Mate,

Thanks for your help so far. From the reply, I'd assume, that 'network defined by routes' would consider static route as well to calculate topology behind an interface (and not just dynamic routing).

And, final one, we've a remote-access VPN solution (non-checkpoint product) where users are provisioned with the IP address of 10.19.5.0/24. Should I need to create an exception for the same on "External" interface?

Re: Network Defined by Routes: Anti-Spoofing

Chris_Atkinson — Sun, 07 Aug 2022 06:07:39 GMT

If the clients on this private range are accessing things behind the Check Point routing in via it's external interface then most likely yes.