topic Re: Ping between SYNC being dropped by Anti-spoofing in General Topics

Ping between SYNC being dropped by Anti-spoofing

J_Saun — Tue, 07 Apr 2020 20:45:22 GMT

I have an R80.20 cluster. The SYNC interfaces are configured as follows:

FW1 - 192.168.199.1/255.255.255.252

FW2 - 192.168.199.2/255.255.255.252

Antispoofing (from the default) is as follows:

Leads To - This Network (Internal)

Security Zone - User defined (I have never defined any security zones)

Anti-spoofing - Perform anti-spoofing based on interface topology

In the firewall logs, after I ping from .1 to .2 I see the ICMP being permitted, immediately followed by a DROP and a statement 'Cluster member IP is being spoofed'.

What am I missing in my antispoofing config? Its at the default.

Re: Ping between SYNC being dropped by Anti-spoofing

J_Saun — Tue, 07 Apr 2020 20:50:19 GMT

Update

I scrutinized the logs again and the logger shows the source as being the SYNC interface of a DIFFERENT firewall cluster in our environment. The SYNC connections are direct, not through a switch. How is that possible?

Does that mean we cannot use the same, small, 192.168.199.0/30 network on all of our SYNC interfaces? They have to be different?

Re: Ping between SYNC being dropped by Anti-spoofing

PhoneBoy — Wed, 08 Apr 2020 00:57:15 GMT

What's the routing table look like on the affected gateway?
Because you should be able to use the same (private) sync network on each cluster, AFAIK.