topic Re: IP spoofing for just one IP Address in Firewall and Security Management

IP spoofing for just one IP Address

kadar2 — Mon, 16 Sep 2024 09:52:34 GMT

Dear all,

We are facing this weird situation. On the internal interface of our firewall we have configured antispoofing so that all 10.0.0.0/8 is coming from this interface, Since we have other DMZs on this firewall that have an IP address in the 10.x.x.x. form, we have excluded some (not all) of the DMZ subnets from the antispoofing mechanism of the internal interface (action: prevent and log)

My question is why aren't we getting drops for the packets that belong to the "not excluded" subnets? Out of the blue we saw drops from a DMZ IP towards a specific destination situated in the internal LAN. Traffic from the same IP to other stuff in the internal LAN is passing without any problems! Traffic from other IPs in the DMZ subnet towards the exact same destination is passing without problems!

To sum it up:

Internal: 10.0.0.0/8

DMZ: 10.1.1.0/24 not excluded from the anitspoofing mechanism on internal:

Destination: 10.2.2.2 , 10.3.3.3 (internal subnets)

Src: 10.1.1.1 --> 10.2.2.2 , 10.3.3.3 ok

Src: 10.1.1.2 --> 10.2.2.2 NOT ok (message on log: spoofing address)

Src: 10.1.1.2 --> 10.3.3.3 ok

Any insight will be highly appreciated!

Re: IP spoofing for just one IP Address

Timothy_Hall — Mon, 16 Sep 2024 12:44:48 GMT

Please post the results from this one-liner, being sure to redact any Internet-routable outside addresses:

https://community.checkpoint.com/t5/Security-Gateways/One-liner-for-Address-Spoofing-Troubleshooting/m-p/33204

Re: IP spoofing for just one IP Address

kadar2 — Tue, 17 Sep 2024 06:55:04 GMT

Hi Timothy,

Attached is the output for the related interfaces (DMZ and internal).

For one IP address from 10.20.32.0/18 subnet I get an antispoofing message when the destination address is in 10.0.0.0/8 subnet. All other IP addresses from 10.20.32.0/18 can access the same destination without any problems.

So the questions are:

Should 10.20.32.0/18 be excluded from the interfaces to be spoofed in the internal zone?

Why is just one IP address shown as spoofed? Could this be related to a setting on the specific PC?

Thank you in advance,

Katerina

Re: IP spoofing for just one IP Address

PhoneBoy — Tue, 17 Sep 2024 21:04:50 GMT

Is it the ingress or egress interface that the spoofing message is occurring on?
That will determine where we need to adjust anti-spoofing settings.

Re: IP spoofing for just one IP Address

kadar2 — Wed, 18 Sep 2024 06:44:43 GMT

What you are stating is really interesting, because the interface on which the message is occuring should not be in the path at all!!!!

I will further look into that!

What I don't understand is if directly connected interfaces of the firewall should also be excluded from the spoofing checks on the interface connecting to the internal LAN. It confuses me, since we have excluded some, but not all DMZ directly connected subnets, and everything is working fine.

Re: IP spoofing for just one IP Address

PhoneBoy — Wed, 18 Sep 2024 13:48:48 GMT

Each packet is checked for anti-spoofing twice (in ingress interface and egress interface).
Knowing where it came from is, therefore, a critical part of resolving the issue.

Re: IP spoofing for just one IP Address

the_rock — Wed, 18 Sep 2024 15:48:46 GMT

See if this sk helps.

https://support.checkpoint.com/results/sk/sk115276

Also, here is important point about anti-spoofing options.

Andy

Interface - Topology Settings (checkpoint.com)

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.
Override - Override the default setting.

If you Override the default setting:

Internet (External) - All external/Internet addresses
This Network (Internal) -
- Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface
- Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface
- Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.
- Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface
- Interface leads to DMZ - The DMZ that directly connects to this internal interface

VPN Tunnel Interfaces

If the interface is part of a VPN Tunnel

, then the interface Leads To a Point to Point network. The interface is one end of the point to point connection. All traffic in the network behind the interface is part of the point to point connection. Click Override to define a specific network.

Re: IP spoofing for just one IP Address

kadar2 — Thu, 19 Sep 2024 08:11:51 GMT

Thanks for the info.

Your questions helped me clarify the issue.

Re: IP spoofing for just one IP Address

PhoneBoy — Thu, 19 Sep 2024 14:33:55 GMT

Did you find the source of the issue?

Re: IP spoofing for just one IP Address

kadar2 — Tue, 24 Sep 2024 09:08:40 GMT

Hi!

It seems that the issue was within the laptop itself, so we have arranged for a fresh installation of operating system and applications. Nothing could be found on the network side or on the Firewall.