topic Re: Anti spoofing and management traffic in Firewall and Security Management

Anti spoofing and management traffic

JorgenSpange — Wed, 17 Apr 2024 08:11:08 GMT

Good day!

We have a checkpoint environment where we need to route traffic to our webproxy on an internal interface.

This causes a problem for the security gateway itself as the traffic towards the proxy is sent from the mgt interface and the return traffic comes back on the internal interface, hence it's getting dropped by anti spoofing.
If I route the traffic to the webproxy through the mgt interface it works for the gateways, but not for the servers which is also consuming the proxy.

When defining an interface as internal and using 'defined by routes' adding exceptions to anti spoofing seems to be greyed out.

Does anyone have a good solution on how to solve this?

Br

Jørgen

Re: Anti spoofing and management traffic

emmap — Wed, 17 Apr 2024 09:18:36 GMT

Any reason why you don't want to route it all via the internal interface? The best solution is to avoid asymmetrical routing like this, so that anti-spoofing can do its job.

Re: Anti spoofing and management traffic

JorgenSpange — Wed, 17 Apr 2024 09:40:45 GMT

Yeah that would be the best, but have not figured out how I can initiate this traffic for the gateway from the internal interface.
Please let me know!

Br

Re: Anti spoofing and management traffic

emmap — Wed, 17 Apr 2024 13:32:57 GMT

There's no special configuration required, the gateway just follows the routing table to get to where it needs to. If the route to the destination points out the Internal interface, it will use that.

Re: Anti spoofing and management traffic

JorgenSpange — Wed, 17 Apr 2024 13:44:18 GMT

Yeah right, it does. Our problem is that the return traffic will be routed directly to the mgt interface, which will cause it to be dropped by antispoofing. I dont want to route all mgt traffic via the internal interface, as long as we actually are using the dedicated mgmt interface.

Re: Anti spoofing and management traffic

emmap — Thu, 18 Apr 2024 02:03:17 GMT

In normal deployments, the mgmt interface is just another interface in the box, there's no separation of routing or whatever for management functions. If you want that, you can either redeploy it as VSX or look at Management Data Plane Separation.

https://support.checkpoint.com/results/sk/sk138672 < MDPS