Anti-spoofing: Network defined by routes dropping return traffic on interafce that leads to default

doube0seven — Tue, 08 Nov 2022 22:18:51 GMT

Hi all

I wonder if anyone has observed this issue with their security gateways. We have a cluster of 5600 appliances acting as a boundary gateway. This cluster has an interface (lets say eth1) which learns the default route from an upstream Cisco router. The link-net between the router and the eth1 interface on the firewall uses private addressing 10.x.x.x.

I have observed two behaviors which did not make sense to me:

1. Setting the Topology of the eth1 interface as external drops the BGP relation with the router. The IP of the BGP peer is withing the link-net /29 network. Is this because the link-net is using private addresses?

2. We set the topology of eth1 to be "defined by routes" for convenience as the routes are learned dynamically. But Anti-spoofing started dropping the return traffic. Should all traffic be allowed given the default route points tot his interface?

Setting the interface as External calculates the topology as this:

Calculated Interface Topology
0.0.0.0 - 9.255.255.255
11.0.0.0 - 13.63.255.255
13.96.0.0 - 13.103.255.255
13.108.0.0 - 19.255.255.255
20.32.0.0 - 20.32.255.255
20.128.0.0 - 20.134.255.255
20.137.0.0 - 20.139.255.255
20.142.0.0 - 20.142.255.255
20.144.0.0 - 20.149.255.255
20.154.0.0 - 20.156.255.255
20.176.0.0 - 20.183.255.255
21.0.0.0 - 23.95.255.255
23.103.0.0 - 23.103.63.255
23.104.0.0 - 40.63.255.255
40.66.128.0 - 40.66.255.255
40.72.0.0 - 40.73.255.255
40.108.32.0 - 40.108.127.255
40.109.0.0 - 40.109.255.255
40.125.128.0 - 40.125.255.255
40.126.64.0 - 40.126.127.255
40.128.0.0 - 51.9.255.255
51.14.0.0 - 51.50.255.255
51.52.0.0 - 51.52.255.255
51.54.0.0 - 51.102.255.255
51.106.0.0 - 51.106.255.255
51.108.0.0 - 51.115.255.255
51.117.0.0 - 51.119.255.255
51.121.0.0 - 51.123.255.255
51.125.0.0 - 51.131.255.255
51.133.0.0 - 51.135.255.255
51.139.0.0 - 51.139.255.255
51.146.0.0 - 52.95.255.255
52.116.0.0 - 52.119.255.255
52.124.0.0 - 52.124.255.255
52.128.0.0 - 52.135.255.255
52.144.0.0 - 52.145.255.255
52.192.0.0 - 52.223.255.255
53.0.0.0 - 64.3.255.255
64.4.64.0 - 65.51.255.255
65.56.0.0 - 66.119.143.255
66.119.160.0 - 68.17.255.255
68.20.0.0 - 68.153.255.255
68.156.0.0 - 68.209.255.255
68.212.0.0 - 68.217.255.255
68.222.0.0 - 70.36.255.255
70.37.192.0 - 70.151.255.255
70.154.0.0 - 70.155.255.255
70.158.0.0 - 72.143.255.255
72.148.0.0 - 72.151.255.255
72.156.0.0 - 74.159.255.255
74.164.0.0 - 74.175.255.255
74.180.0.0 - 74.223.255.255
74.228.0.0 - 74.233.255.255
74.236.0.0 - 74.239.255.255
74.244.0.0 - 74.247.255.255
74.250.0.0 - 94.245.63.255
94.245.128.0 - 98.63.255.255
98.68.0.0 - 98.69.255.255
98.72.0.0 - 102.36.255.255
102.38.0.0 - 102.132.255.255
102.134.0.0 - 104.39.255.255
104.48.0.0 - 104.145.255.255
104.146.32.0 - 104.146.127.255
104.147.0.0 - 104.207.255.255
104.216.0.0 - 108.139.255.255
108.144.0.0 - 111.221.15.255
111.221.32.0 - 111.221.63.255
111.221.128.0 - 116.66.244.65
116.66.244.67 - 116.89.237.139
116.89.237.141 - 126.255.255.255
128.0.0.0 - 128.93.255.255
128.95.0.0 - 131.106.255.255
131.108.0.0 - 131.253.0.255
131.253.2.0 - 131.253.2.255
131.253.4.0 - 131.253.4.255
131.253.7.0 - 131.253.7.255
131.253.9.0 - 131.253.11.255
131.253.16.0 - 131.253.20.255
131.253.48.0 - 131.253.60.255
131.253.64.0 - 131.253.71.255
131.253.76.0 - 131.253.79.255
131.253.96.0 - 131.253.111.255
131.253.124.0 - 131.253.127.255
131.254.0.0 - 132.244.255.255
132.246.0.0 - 134.169.255.255
134.171.0.0 - 135.148.255.255
135.150.0.0 - 137.115.255.255
137.118.0.0 - 137.134.255.255
137.136.0.0 - 138.90.255.255
138.92.0.0 - 138.238.255.255
138.240.0.0 - 147.144.255.255
147.146.0.0 - 147.242.255.255
147.244.0.0 - 148.6.255.255
148.8.0.0 - 150.170.255.255
150.172.0.0 - 155.61.255.255
155.63.0.0 - 157.54.255.255
157.57.0.0 - 157.57.255.255
157.59.0.0 - 158.157.255.255
158.159.0.0 - 159.26.255.255
159.28.0.0 - 163.227.255.255
163.229.0.0 - 167.104.255.255
167.106.0.0 - 167.219.255.255
167.221.0.0 - 168.60.255.255
168.64.0.0 - 169.137.255.255
169.139.0.0 - 170.164.255.255
170.166.0.0 - 172.17.31.255
172.17.33.0 - 191.231.255.255
191.240.0.0 - 192.48.224.255
192.48.226.0 - 192.84.159.255
192.84.162.0 - 192.92.195.255
192.92.197.0 - 192.94.169.132
192.94.169.134 - 192.100.103.255
192.100.132.0 - 192.167.255.255
192.168.128.0 - 192.168.129.255
192.168.133.0 - 192.168.135.255
192.168.140.0 - 192.168.159.255
192.168.192.0 - 192.168.253.255
192.168.254.8 - 192.197.156.255
192.197.158.0 - 193.149.63.255
193.149.96.0 - 193.221.112.255
193.221.114.0 - 194.41.15.255
194.41.32.0 - 194.69.95.255
194.69.128.0 - 195.134.223.255
195.135.0.0 - 198.49.7.255
198.49.9.0 - 198.105.231.255
198.105.236.0 - 198.180.96.255
198.180.98.0 - 198.200.129.255
198.200.131.0 - 198.206.163.255
198.206.165.0 - 199.2.136.255
199.2.138.0 - 199.30.15.255
199.30.32.0 - 199.60.27.255
199.60.29.0 - 199.103.89.255
199.103.92.0 - 199.103.121.255
199.103.123.0 - 199.242.31.255
199.242.56.0 - 202.27.43.255
202.27.44.32 - 202.89.223.255
202.89.232.0 - 204.13.119.255
204.13.128.0 - 204.14.179.255
204.14.181.0 - 204.79.134.255
204.79.136.0 - 204.79.178.255
204.79.181.0 - 204.79.194.255
204.79.196.0 - 204.79.196.255
204.79.198.0 - 204.79.251.255
204.79.253.0 - 204.95.95.255
204.95.112.0 - 204.152.139.255
204.152.142.0 - 204.182.143.255
204.182.145.0 - 204.255.243.255
204.255.246.0 - 206.138.167.255
206.138.176.0 - 206.191.223.255
206.192.0.0 - 207.45.255.255
207.46.32.0 - 207.46.35.255
207.47.0.0 - 207.68.127.255
207.68.192.0 - 208.68.135.255
208.68.144.0 - 208.76.44.255
208.76.47.0 - 208.83.255.255
208.84.5.0 - 209.240.191.255
209.240.224.0 - 213.199.127.255
213.199.192.0 - 216.32.179.255
216.32.184.0 - 216.220.207.255
216.220.224.0 - 223.255.255.255
240.0.0.0 - 255.255.255.254

Address Spoofing Protection: Enabled (Detect Mode) - External Interface

Setting the interfaces as defined by routes calculates the topology as below, even though default route is via this interface:
Calculated Interface Topology
10.204.104.64 - 10.204.104.79

Address Spoofing Protection: Enabled (Detect Mode) - Internal Interface

I'd be keen to know if this is expected behavior and if we have interpreted/utilised this feature in the incorrect way.

Thanks in advance.

Re: Anti-spoofing: Network defined by routes dropping return traffic on interafce that leads to defa

PhoneBoy — Sat, 12 Nov 2022 14:15:29 GMT

An actual topology diagram would help.

In general, defining an interface as external literally means "any address not defined as part of the topology for other interfaces."
If you are using 10.0.0.0/8 as part of your internal anti-spoofing (either manually defined or via routing), then this could cause the issue you're facing.
Create an exclusion on the external interface for the precise /29 that you're using on the external interface (i.e. set the "Don't check packets from" in the interface's anti-spoofing settings).

topic Re: Anti-spoofing: Network defined by routes dropping return traffic on interafce that leads to defa in Firewall and Security Management

Anti-spoofing: Network defined by routes dropping return traffic on interafce that leads to default

Re: Anti-spoofing: Network defined by routes dropping return traffic on interafce that leads to defa