https://community.checkpoint.com/t5/General-Topics/Address-spoofing/m-p/182188#M30371 <P>I think below is the key.</P> <P>Andy</P> <P><A href="https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk115276&amp;srcFavorites=favorites" target="_blank">https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk115276&amp;srcFavorites=favorites</A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21094i20F6F4BFB2A3BDCC/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P>&nbsp;</P> <P>I would do some packet captures to make sure flow of traffic is indeer correct.</P> Thu, 25 May 2023 19:40:20 GMT the_rock 2023-05-25T19:40:20Z https://community.checkpoint.com/t5/General-Topics/Address-spoofing/m-p/182183#M30369 <P>I have network with 2 gateways, one is CP other is Mikrotik.</P><P>Mikrotik is in its own vlan. No access to any part of CP network.</P><P>Network have about 50 vlans, intervlan routing is done by L3 switch. (no routing for mikrotiks vlan)</P><P>CP is GW for all networks accept for vlan of mikrotik.</P><P>Everything is working fine. I can not access mikrotik vlan form any&nbsp; CP network and vice versa.</P><P>few days ago I found logs on CP:</P><P>&nbsp;</P><P><BR />Interface Direction: inbound<BR />Interface Name: eth0<BR />Id Generated By Indexer:false<BR />First: true<BR />Sequencenum: 4<BR />Source: 10.20.0.89 (this is network, that is used for "Mikrotik network"<BR />Source Port: 4500<BR />Destination: x.x.x.x<BR />Destination Port: 4500<BR />IP Protocol: 17<BR />Message Information: Address spoofing<BR />Action: Detect<BR />Type: Log<BR />Blade: Firewall<BR />Service: UDP/4500<BR />Product Family: Access<BR />Interface: eth0<BR />Description: IKE_NAT_TRAVERSAL Traffic Detected from 10.20.0.89 to x.x.x.x<BR /><BR /></P><P>&nbsp;</P><P>with x.x.x.x I hided public IP address of destination, but it is legit IP WAN address.</P><P>privat IP is allways the same (10.20.0.89) that is strange, because there was few same events in range of few days (DHCP leash time on Mikrotik is 1day and I do not use reservations)</P><P>&nbsp;</P><P>Obviously I have some misconfiguration on network or someone is doing something bad on network.</P><P>I did try my best to&nbsp;repeat the event, but I cant find way to do it.</P><P>I couldn't&nbsp; find it on Mikrotik DHCP log, since leash time released IP.</P><P>How can I find out what is going on? Few users have access to both networks, is it possible that Windows (or software) somehow route two networks together? Mikrotik is WiFi network.</P><P>I want to replicate this event, so I will know what is wrong and protect network.</P><P>Is this misconfiguration of the LAN, misconfiguration of endpoint PC or is someone really spoofing LAN address?</P><P>No other traffic is detected on CP from "Mikrotik network" only this IP and only&nbsp;IKE_NAT_TRAVERSAL.</P><P>&nbsp;</P> Thu, 25 May 2023 19:16:40 GMT https://community.checkpoint.com/t5/General-Topics/Address-spoofing/m-p/182183#M30369 WhOPP 2023-05-25T19:16:40Z https://community.checkpoint.com/t5/General-Topics/Address-spoofing/m-p/182188#M30371 <P>I think below is the key.</P> <P>Andy</P> <P><A href="https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk115276&amp;srcFavorites=favorites" target="_blank">https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk115276&amp;srcFavorites=favorites</A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21094i20F6F4BFB2A3BDCC/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P>&nbsp;</P> <P>I would do some packet captures to make sure flow of traffic is indeer correct.</P> Thu, 25 May 2023 19:40:20 GMT https://community.checkpoint.com/t5/General-Topics/Address-spoofing/m-p/182188#M30371 the_rock 2023-05-25T19:40:20Z