https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/178315#M32673 <P><SPAN>Dear Team,</SPAN></P><P>In the given network environment, is there a way to configure the anti-spoofing settings to exclude communications from specific IP addresses only? The environment is as follows:</P><UL><LI>Check Point 6200</LI><LI>OS: R81.10</LI><LI>Anti-spoofing enabled on "external" and "internal" interfaces</LI><LI>Topology "external" : External</LI><LI>Topology "internal" : 10.10.0.0/16</LI></UL><P>The internal topology is set to 10.10.0.0/16,</P><P>but communication from 10.10.254.240/28 comes through the external interface.</P><P>Is there a good way to exclude this?</P> Tue, 18 Apr 2023 03:14:19 GMT tepeeeeei 2023-04-18T03:14:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/178315#M32673 <P><SPAN>Dear Team,</SPAN></P><P>In the given network environment, is there a way to configure the anti-spoofing settings to exclude communications from specific IP addresses only? The environment is as follows:</P><UL><LI>Check Point 6200</LI><LI>OS: R81.10</LI><LI>Anti-spoofing enabled on "external" and "internal" interfaces</LI><LI>Topology "external" : External</LI><LI>Topology "internal" : 10.10.0.0/16</LI></UL><P>The internal topology is set to 10.10.0.0/16,</P><P>but communication from 10.10.254.240/28 comes through the external interface.</P><P>Is there a good way to exclude this?</P> Tue, 18 Apr 2023 03:14:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/178315#M32673 tepeeeeei 2023-04-18T03:14:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/178374#M32680 <P>Yes, select the "Don't check packets from" option on the External interface:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="exclude.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20547i5919FD85FAEC544F/image-size/large?v=v2&amp;px=999" role="button" title="exclude.png" alt="exclude.png" /></span></P> Tue, 18 Apr 2023 11:46:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/178374#M32680 Timothy_Hall 2023-04-18T11:46:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/178418#M32685 <P>I can't believe it was such a simple solution!<BR />I feel a bit embarrassed for asking, but thank you for your help.</P><P>Just to confirm, with this setting, it will behave as follows, right?</P><UL><LI>This setting only disables the spoofing check for packets with the specified IP addresses coming from the external interface.</LI><LI>If a packet with the specified IP address as its source comes from the internal side, it won't be considered spoofing either, because the internal topology is set to 10.10.0.0/16.</LI></UL><P>Thanks again for your assistance, and have a great day!</P> Tue, 18 Apr 2023 23:35:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/178418#M32685 tepeeeeei 2023-04-18T23:35:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/178425#M32687 <P>Not exactly. That setting lets you exempt whatever IP ranges you do NOT want checked for anti spoofing that hit external interface. Be careful though...usually, people may have external peer IPs there, as it may happen there are VPN issues until you place the peer ip address in there. Just my experience, but every case is different. Btw, that setting ONLY works with external or VTI interface, as vti is technically considered "extension" of external interface.</P> <P>&nbsp;</P> <P>For packets coming from internal side, its got nothing to do with that setting, as it would hit internal interface, not external.</P> Wed, 19 Apr 2023 02:39:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/178425#M32687 the_rock 2023-04-19T02:39:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/235053#M45575 <P>Hey Tim,</P><P>Thank You for pointing out solution to this problem as we run into the same predicament last week. Follow up question on this topic:</P><P>Do we need to disable button "Calculate topology automatically based on routing information" for Your solution to work? or we can keep it enabled(as we prefer keep it that way)?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Zrzut ekranu 2024-12-09 113615.jpg" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28706iECBE4B38CEDE3FFC/image-size/medium?v=v2&amp;px=400" role="button" title="Zrzut ekranu 2024-12-09 113615.jpg" alt="Zrzut ekranu 2024-12-09 113615.jpg" /></span></P><P> </P><DIV class="">&nbsp;</DIV><P>&nbsp;</P> Mon, 09 Dec 2024 10:36:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/235053#M45575 konrado_91 2024-12-09T10:36:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/235099#M45579 <P>You shouldn't need to disable that option to my knowledge, the override should still work.</P> Mon, 09 Dec 2024 19:18:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/exclude-anti-spoofing-for-communication-from-specific-IP/m-p/235099#M45579 Timothy_Hall 2024-12-09T19:18:23Z