topic Re: Management API Interface Anti-Spoofing in API / CLI Discussion

Management API Interface Anti-Spoofing

Simon_Macpherso — Tue, 27 Jun 2023 04:43:29 GMT

Hello,

When using management API v10.9 to disable anti-spoofing on an interface using the add simple-cluster or set simple-cluster endpoints, setting anti-spoofing to false doesn't reflect as disabled in the interface Topology Settings on the object in Smart Console. The setting 'Perform Anti-Spoofing based on interface topology' remains checked, with Anti-Spoofing action is set to Prevent and Spook Tracking set to Log.

e.g.

mgmt_cli -r true add simple-cluster name 'test-cluster' cluster-mode 'cluster-xl-ha' ip-address '99.99.99.99' version 'R81.20' hardware 'Open server' firewall true interfaces.1.name 'eth0' interfaces.1.interface-type 'cluster' interfaces.1.ip-address '172.18.0.69' interfaces.1.network-mask '255.255.255.192' interfaces.1.topology 'EXTERNAL' interfaces.1.anti-spoofing false

I can disable it globally on the gateway using fw ctl set int fw_antispoofing_enabled 0. The output of fw ctl get int fw_antispoofing_enabled is fw_antispoofing_enabled = 0. So I assume the kernel setting takes precedence over the specific interface settings on the management server. If this is the case, it would be better if the interface specific settings were greyed out.

Regards,

Simon

Re: Management API Interface Anti-Spoofing

PhoneBoy — Tue, 27 Jun 2023 20:19:30 GMT

The anti-spoofing kernel variable is there to allow recovery from situations where anti-spoofing was misconfigured.
It is not meant to be a long-term setting, thus why there's no UI related to it in SmartConsole.

As for why the set-somple-cluster isn't setting anti-spoofing properly, any ideas @Omer_Kleinstern?

Re: Management API Interface Anti-Spoofing

Bob_Zimmerman — Wed, 05 Jul 2023 00:27:04 GMT

I ran the exact 'add simple-cluster' command you posted on management API v1.8.1 (specifically, R81.10 jumbo 106), and the resulting cluster object had a single interface (eth0) set to External topology with antispoofing disabled. The GUI view of the object matches, and antispoofing is definitely disabled.

I don't have an API v1.9 system handy. If it definitely isn't working there, it may be worth trying with "external" in lowercase. That's how it is in the API's output, so maybe something became more case-sensitive?

Re: Management API Interface Anti-Spoofing

Simon_Macpherso — Wed, 12 Jul 2023 05:33:51 GMT

Hi @Bob_Zimmerman

I tried using lowercase 'internal' and 'external' but the the GUI view of the object does not matches, however antispoofing is disabled.

eth0
VIP 172.18.0.10
IP 172.18.0.8
Mask 255.255.255.192
ANTISPOOFING ENABLED: false
ANTISPOOFING MODE: PREVENT
ANTISPOOFING TOPO: External
ADDRESS SPOOFING NETWORKS:
0.0.0.0, 126.255.255.255
128.0.0.0, 172.18.0.63
172.18.0.128, 223.255.255.255
240.0.0.0, 255.255.255.254

eth1
VIP 172.18.0.72
IP 172.18.0.73
Mask 255.255.255.192
ANTISPOOFING ENABLED: false
ANTISPOOFING MODE: PREVENT
ANTISPOOFING TOPO: Internal
ADDRESS SPOOFING NETWORKS:
172.18.0.64, 172.18.0.127

Re: Management API Interface Anti-Spoofing

Bob_Zimmerman — Wed, 12 Jul 2023 14:44:39 GMT

In that case, it sounds like a SmartConsole issue rather than an API issue.

Re: Management API Interface Anti-Spoofing

Simon_Macpherso — Wed, 12 Jul 2023 23:25:01 GMT

Yes, appears cosmetic.