topic Re: Programatically disable Extended Cluster Anti-Spoofing in Firewall and Security Management

Programatically disable Extended Cluster Anti-Spoofing

Kurpeus — Tue, 13 May 2025 11:14:02 GMT

Hi Checkmates

Does anyone know how to programatically disable Extended Cluster Anti SPoofing either via API or CLI commands ? I'm trying to put together a zero touch demo environment (IaC + full Check Point Terraform config) on GCP, but the management traffic is being dropped by the cluster

@;193343.618;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.254.1.2:18191 -> 10.254.1.4:38596 dropped by fw_cluster_ttl_anti_spoofing Reason: ttl check drop;

From Smart Console it is possible to disable Extended Cluster Anti Spoofing but i can't see a way to do this via a command. The gateways are on R81.20 and Mgmt R82.

Thanks

Re: Programatically disable Extended Cluster Anti-Spoofing

the_rock — Tue, 13 May 2025 11:42:02 GMT

Let me try figure it out in my cluster, but I know below used to work in older versions, but does not seem its doable in R81.20...

Andy

set cluster member <member_id> advanced-settings extended-anti-spoofing off
save config

Re: Programatically disable Extended Cluster Anti-Spoofing

the_rock — Tue, 13 May 2025 11:49:57 GMT

Though, when I ran your question through AI copilot, says cannot be done viia clish, not supported, but I would still double check that info.

Andy

Re: Programatically disable Extended Cluster Anti-Spoofing

Kurpeus — Tue, 13 May 2025 11:51:32 GMT

Thanks. I think the way to go it to use dbedit in command line. I'm trying to figure out the syntax. Never used it this way before. Always GUI

Re: Programatically disable Extended Cluster Anti-Spoofing

the_rock — Tue, 13 May 2025 11:58:26 GMT

I will keep trying, its very interesting challenge.

Andy

Re: Programatically disable Extended Cluster Anti-Spoofing

Kurpeus — Tue, 13 May 2025 12:17:05 GMT

Ok I've managed to do it via dbedit. cluster is called "gcp-southhub-fw-cluster"

On the management server I've created a script called dbedit.script

dbedit.script:

print network_objects gcp-southhub-fw-cluster
modify network_objects gcp-southhub-fw-cluster cluster_anti_spoofing false
update_all
print network_objects gcp-southhub-fw-cluster
quit -n

I run the command as follow:

[Expert@chkp-fwm:0]# dbedit -local -f dbedit.script | grep cluster_anti_spoofing

Now i just need to create a null_resource remote provisioner type and get it to run the script as part of the workflow

Re: Programatically disable Extended Cluster Anti-Spoofing

the_rock — Tue, 13 May 2025 12:25:26 GMT

Great job!

Andy

Re: Programatically disable Extended Cluster Anti-Spoofing

Duane_Toler — Tue, 13 May 2025 19:54:20 GMT

You can (and should) use the management API:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-simple-cluster~v1.9.1%20

Although, the better choice is to fix the issue causing the anti-spoofing error in the first place. Anti-spoofing errors mean you have a problem with your configuration.

Re: Programatically disable Extended Cluster Anti-Spoofing

Kurpeus — Wed, 14 May 2025 08:42:37 GMT

This is not about interface anti spoofing. This can indeed be configured via API (and it is disabled anyway as per Check Point / GCP best practices.). This is about extended cluster anti spoofing setting (cluster properties -> network Management -> Advanced -> Enable Extended Cluster Anti-Spoofing) which is enabled by default.

I have little/no control of the overlay network (GCP). The management server sits on the same L3 network (= directly connected) as the firewall sync (eth1). Both are on the same region but different zone. Somehow the cluster is not happy with the TTL value of packets from the management and drops the traffic.

Re: Programatically disable Extended Cluster Anti-Spoofing

Duane_Toler — Wed, 14 May 2025 14:19:55 GMT

Ohh! I see the problem.

Management server is on the same network. Move that to its own VPC and network. You wouldn't want management in the same network when the future comes and you need to delete the gateways VPC and re-deploy (upgrades, problem-fixing, whatever). It'll also keep your configuration more clean, with distinct separation of duties.

CloudGuard management is meant to be on its own entirely, anyway. The same applies for Azure deployments, too (of which I do a lot these days for customers).

Re: Programatically disable Extended Cluster Anti-Spoofing

Kurpeus — Wed, 21 May 2025 11:23:38 GMT

Thank you.. It is already the case. The firewalls have a leg in the management VPC, not the other way around. I was following Checkpoint deployment guide for GCP link here

Each gateway has a network interface in a subnetwork in the Management VPC. This is the network that manages the gateways.

To be fair I'm also doing that in a trial account which comes with lot of restrictions from GCP.

Limited in the number of VPC per project
Limited in the number of project per billing account
Trial credits can only be used with one billing account
Limited in the number of CPUs per region
and the list goes on ...

So they give you $300 credits but then you can't really use it meaningfully 😄