topic Re: Antispoofing and VPN on domain VPN in Firewall and Security Management

Antispoofing and VPN on Domain-based VPN

Ilovecheckpoint — Mon, 29 Apr 2024 14:15:49 GMT

We have a Checkpoint gateway who has plenty of vpn site to site with other Checkpoint managed by our organisation.

We use domain base VPN on both star/mesh mode.

I need to proper configure antispoofing on prevent mode.

Should I add on both ends "Dont't check packets from" including encryption domains, to prevent packets to be dropped by antispoofing?

On FWA to configure "Dont't check packets from" of encryption domain B, and viceversa?

Re: Antispoofing and VPN on domain VPN

_Val_ — Mon, 29 Apr 2024 14:09:10 GMT

No, just plain physical topology will be enough

Re: Antispoofing and VPN on domain VPN

Ilovecheckpoint — Mon, 29 Apr 2024 14:23:54 GMT

Hello Val,

Thank you for your answer.

On Gateway A, a VSX, the one who has plenty of vpn, the interface is set as external one.

When "Dont't check packets from" is unselected, on detect mode, all logs are seen as address spoofing.

On Gateway B (the other vpn end), "Dont't check packets from" is selected, for only mobile network configured on itself. No spoofing is detected/prevented.

Re: Antispoofing and VPN on Domain-based VPN

the_rock — Mon, 29 Apr 2024 17:09:02 GMT

All you do is this...simply add PEER's external IP into that group. You dont even need anything from the enc. domain, all it cares about is external peer's address.

Andy

Re: Antispoofing and VPN on domain VPN

Bob_Zimmerman — Mon, 29 Apr 2024 17:54:00 GMT

In antispoofing, External takes the topology of every Internal interface, combines them all, then logically inverts them into a "NOT Internal" topology definition. If antispoofing is flagging traffic on an external interface, that means one or more of your internal interfaces are configured incorrectly. My bet is there's a manual group on one or more internal interfaces which contains 10.0.0.0/8 or something similarly broad.

Re: Antispoofing and VPN on Domain-based VPN

CheckPointerXL — Fri, 03 May 2024 13:08:37 GMT

Networks that belongs to VPN peers in route-based mode are usually added in group for don't check packet for

Re: Antispoofing and VPN on Domain-based VPN

the_rock — Fri, 03 May 2024 13:23:00 GMT

Interesting...personally, I never had to do that and works fine.

Andy

Re: Antispoofing and VPN on Domain-based VPN

Duane_Toler — Fri, 03 May 2024 15:11:27 GMT

You should be able to set your interior-facing interfaces to "Defined by routes" for all gateways. On the vpnt interfaces, set those with anti-spoofing disabled. You exterior-facing interfaces (to internet) should remain as External. Interfaces facing local-attached LANs (networks with no downstream next-hop) should remain as "This network" (not a static group).

I've moved just about all my customers to this dynamically-calculated topology and life has been pretty good. We can do dynamic and static routing on both interior and VTI networks as needed. Yep, it works on VSX, too.

"Defined by routes" will consult the RouteD FIB every few seconds for topology calculation and keep your network flexible at all points. With R80.30+, you should almost(*) never have to use a hard-set group object to define topology anymore.

(*) Yes, "almost never"; no doubt someone has some special scenario, but this should be the exception rather than the rule now.

Re: Antispoofing and VPN on Domain-based VPN

CheckPointerXL — Fri, 03 May 2024 15:15:47 GMT

i agree with your scenario

especially with vsx, absolutely suggest to use network defined by routes ; stay far away from "automatically calculated", which it creates a lot of duplicate objects that, in some scenario, it raises a lot of hard issues