https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122227#M22652 <P>There's a couple things:</P> <P>1. You define the topology on the gateway as to what's considered valid on the gateway for a given interface. In R80.20+ you can also let this be dynamically defined by the routing table.<BR />2. We block the use of IP Options, which allows you to encode a route back to the IP.&nbsp;&nbsp;</P> Fri, 25 Jun 2021 20:38:41 GMT PhoneBoy 2021-06-25T20:38:41Z https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122219#M22649 <P>Can someone help me to understand how checkpoint firewall prevents IP spoofing from the internet?</P> Fri, 25 Jun 2021 19:04:03 GMT https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122219#M22649 Binoy 2021-06-25T19:04:03Z https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122227#M22652 <P>There's a couple things:</P> <P>1. You define the topology on the gateway as to what's considered valid on the gateway for a given interface. In R80.20+ you can also let this be dynamically defined by the routing table.<BR />2. We block the use of IP Options, which allows you to encode a route back to the IP.&nbsp;&nbsp;</P> Fri, 25 Jun 2021 20:38:41 GMT https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122227#M22652 PhoneBoy 2021-06-25T20:38:41Z https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122241#M22653 <P>you can also search " Anti-Spoofing" in the Security Gateway Administration Guide for your corresponding version to read up on more detail</P> Sat, 26 Jun 2021 01:48:06 GMT https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122241#M22653 Cyber_Serge 2021-06-26T01:48:06Z https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122251#M22655 <P>I would refer to below link, it explains it very well:</P> <P><A href="https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.20/SmartConsole_OLH/EN/ZvkmnUK_XluBBIIAw1mF3A2" target="_blank">https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.20/SmartConsole_OLH/EN/ZvkmnUK_XluBBIIAw1mF3A2</A></P> <P>&nbsp;</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;gave you correct answer. Put it this way...there is an option on external interface to exempt any IP address, but you definitely do not want to turn off anti spoofing on external interface, thats a huge security issue. In some scenario, I seen people set it to "detect" on internal interface, but thats not as bad, since that would be used for outbound traffic anyway.</P> Sat, 26 Jun 2021 11:49:23 GMT https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122251#M22655 the_rock 2021-06-26T11:49:23Z https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122443#M22681 <P>If you activate IP spoofing on your interfaces, It will help to IP spoofing attacks.&nbsp; If attacker send a packet with the spoofed address into your servers It can prevent.&nbsp;For example, your Eth1 is configured 192.168.1.0/24 subnetting, then It will drop the packet if firewall receive this subnet IP come from another interface...</P> Tue, 29 Jun 2021 06:59:21 GMT https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122443#M22681 Baasanjargal_Ts 2021-06-29T06:59:21Z https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122452#M22683 <P>Thank you very much for the reply.</P><P>1. I understand that we can enable Anti-spoofing on interfaces based on the topology. Whether I need to enable anti-spoofing on Internet facing interface? As the default route is pointing to internet, how will it detect IP spoofing?</P><P>2. Whether IPS blade is required to block the IP Options. Could you please help to understand how to do it.</P><P>&nbsp;</P> Tue, 29 Jun 2021 08:09:57 GMT https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122452#M22683 Binoy 2021-06-29T08:09:57Z https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122537#M22689 <P>For external interfaces, anything not defined on an internal interface would be considered invalid on the external interface.</P> <P>IP Options checking is actually done in the firewall (not IPS) and done by default.<BR />Modifying this behavior requires editing some .def files on the management and pushing policy.</P> Tue, 29 Jun 2021 20:38:20 GMT https://community.checkpoint.com/t5/General-Topics/How-to-prevent-IP-spoofing-from-internet/m-p/122537#M22689 PhoneBoy 2021-06-29T20:38:20Z