topic Re: Anti-Spoofing on VTI interfaces in Firewall and Security Management

Anti-Spoofing on VTI interfaces

StevePearson — Wed, 06 Aug 2025 16:20:11 GMT

I'm working on a system at the moment that has a single cluster and has been linked to SASE with redundant tunnels. This is all working fine, however when you push the policy it completes with a warning about no anti-spoofing in the VTI interfaces. Having not worked with route based VPN's before, I just wanted to check to see if there are any reasons not to simply enable the anti-spoofing as usual on these interfaces?

They show as "Leads To: Point to point" and it appears that you can enable it in prevent mode only as there is no option to select between Detect and Prevent.

Re: Anti-Spoofing on VTI interfaces

Lesley — Wed, 06 Aug 2025 19:25:50 GMT

You can configure AS for VTI interfaces. Please see: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Route-Based-VPN.htm

section: Configuring Anti-Spoofing on VTIs in SmartConsole

Re: Anti-Spoofing on VTI interfaces

the_rock — Wed, 06 Aug 2025 23:18:18 GMT

Do NOT enable anti spoofing on it, as its not supposed to be on anyway. By default, when they are configured in web UI, when you get interfaces without topology, it would come up as anti spoofing disabled, which is totally fine.

Andy