topic Re: Anti-spoofing "Don't check packets from" in Firewall and Security Management

Anti-spoofing "Don't check packets from"

Moudar — Mon, 29 Apr 2024 13:40:03 GMT

I got a problem with Anti-spoofing in my lab. When activating anti-spoofing on an external interface, i cannot install the policy and get this error:

running "fw unloadlocal" will fix it once, and then it will again send the same error message.

Disabling anti-spoofing on the external interface and then no problem to install the policy!

The problem is that adding the 10.1.1.0 subnet under "Don't check packets from" does not help! I still get the same error when trying to install the policy:

any ideas!

Re: Anti-spoofing "Don't check packets from"

the_rock — Mon, 29 Apr 2024 13:46:46 GMT

Just check first option under topology, not override.

Also, check this:

https://support.checkpoint.com/results/sk/sk115276

You can run ip r g 8.8.8.8 to verify routing is good, or run route command from expert mode to confirm.

Best,

Andy

Re: Anti-spoofing "Don't check packets from"

Moudar — Mon, 29 Apr 2024 14:33:11 GMT

Thank you Andy.

removing "not override" was the solution for that problem!

But i still wonder what did that "override" do in that situation?

Re: Anti-spoofing "Don't check packets from"

Moudar — Mon, 29 Apr 2024 14:43:57 GMT

Or maybe i need to say that it works sometimes:

i mean this ping is working sometimes and dropping some other times?!

Re: Anti-spoofing "Don't check packets from"

the_rock — Mon, 29 Apr 2024 14:44:40 GMT

Here is the difference. Though its exact SAME description, you should NEVER change it, specially for external interface, because its auto calculated.

Interface - Topology Settings (checkpoint.com)

So, in layman's terms, if you override and set to Internet (external_ though its same as top setting, it may inadvertantly "think" its supposed to calculate the IP from some random external source.

Best,

Andy

Re: Anti-spoofing "Don't check packets from"

the_rock — Mon, 29 Apr 2024 14:46:45 GMT

Mark down below description and use it whenever in doubt, because in my experience, works 100% of the time, just make sure routing is 100% right.

Andy

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.
Override - Override the default setting.

If you Override the default setting:

Internet (External) - All external/Internet addresses
This Network (Internal) -
- Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface
- Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface
- Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.
- Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface
- Interface leads to DMZ - The DMZ that directly connects to this internal interface

Re: Anti-spoofing "Don't check packets from"

Moudar — Mon, 29 Apr 2024 14:47:28 GMT

or something like this:

Re: Anti-spoofing "Don't check packets from"

the_rock — Mon, 29 Apr 2024 14:53:34 GMT

If you still have issues, I would say it need more investigation. Maybe do fw monitor with -F flag and see whats happening with the traffic. Alternatively, you can do ip r g command to dst IP and make sure route is right.

Example...if dst is say 10.10.10.10, just run ip r g 10.10.10.10 from expert mode.

Andy

My lab:

[Expert@cpazurecluster1:0]# ip r g 10.10.10.10
10.10.10.10 via 10.5.0.1 dev eth0 src 10.5.0.4
cache
[Expert@cpazurecluster1:0]#

Re: Anti-spoofing "Don't check packets from"

emmap — Tue, 30 Apr 2024 01:23:29 GMT

'External' means 'everything that isn't configured on one of the internal interfaces'. So make sure your internal interfaces aren't configured to anything too broad, or with a large subnet that overlaps a smaller subnet that routes out the external interface.

Given the drop happened on the 'eth4' interface, this is the external one?