https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55372#M4178 I would agree with Maarten -- You really shouldn't have to define a custom group if you are defining it as an external interface. Sun, 09 Jun 2019 14:04:12 GMT Bryce_Myers 2019-06-09T14:04:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/19342#M1470 <HTML><HEAD></HEAD><BODY><P>hey</P><P></P><P>1) how can you enforce AntiSpoofing on interfaces that learn routes from dynamic protocol&nbsp; (OSPF / RIP )?</P><P>2) i also have one network which is directlry connected to the FW and in a DR scenario someone will shut the interface and this network will failover to the DR so i need the FW to be updated acordingly with the anti-spoofing configuration</P><P></P><P>FW Version is R77.30</P></BODY></HTML> Tue, 19 Dec 2017 11:18:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/19342#M1470 Dor_Marcovitch 2017-12-19T11:18:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/19343#M1471 <HTML><HEAD></HEAD><BODY><P>Antispoofing based on dynamic routing configuration is something that is planned for a later release.</P><P>Any updates to the anti-spoofing configuration could be scripted (with the R80.10 API or even with dbedit) but a policy installation is required for it to take effect.</P></BODY></HTML> Wed, 20 Dec 2017 00:17:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/19343#M1471 PhoneBoy 2017-12-20T00:17:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55268#M4170 <P>Is there any more update on this topic? I am struggling to find much information.</P><P>&nbsp;</P><P>Thanks</P> Fri, 07 Jun 2019 08:42:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55268#M4170 scottikon 2019-06-07T08:42:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55309#M4173 If you are running 80.20 gateway and management you should be able to select "Network Defined by Routes". I haven't tested this in my environment dynamic routing. Fri, 07 Jun 2019 21:17:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55309#M4173 Bryce_Myers 2019-06-07T21:17:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55326#M4174 <P>Thank you,&nbsp;</P><P>That is an option we can look to test for one of the interfaces. The other interface is defined as external so I don't have that option.&nbsp;</P> Sat, 08 Jun 2019 11:29:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55326#M4174 scottikon 2019-06-08T11:29:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55327#M4175 <P>Thank you.&nbsp;</P><P>This is something we can try on one of our interfaces that is used for BGP.&nbsp;</P><P>The second interface we have is configured as External topology so we don't have the option to select "networks defined by routes".&nbsp;</P><P>We will just have to create a group and manually update that when we know of new subnets that are to be advertised to us.&nbsp;</P><P>Thanks</P> Sat, 08 Jun 2019 12:19:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55327#M4175 scottikon 2019-06-08T12:19:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55334#M4176 I think you should ask yourself the question here, why are you using External on that interface if you still need to Anti-Spoofing?<BR />In fact an interface set to external with enabled Anti-Spoofing will just use a scheme that says: anything is allowed that is not defined by all other (non External) interfaces. Sat, 08 Jun 2019 18:10:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55334#M4176 Maarten_Sjouw 2019-06-08T18:10:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55372#M4178 I would agree with Maarten -- You really shouldn't have to define a custom group if you are defining it as an external interface. Sun, 09 Jun 2019 14:04:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-Routing-Anti-Spoofing/m-p/55372#M4178 Bryce_Myers 2019-06-09T14:04:12Z