https://community.checkpoint.com/t5/General-Topics/ISP-blocks-traffic-Their-anti-spoofing-system-Same-VMAC-for-3/m-p/18597#M3347 <HTML><HEAD></HEAD><BODY><P>Thanks. We finally disabled vmac option. And solved our problem.</P><P></P><P>Regards</P></BODY></HTML> Thu, 13 Dec 2018 16:33:56 GMT Diego_Javier_Me 2018-12-13T16:33:56Z https://community.checkpoint.com/t5/General-Topics/ISP-blocks-traffic-Their-anti-spoofing-system-Same-VMAC-for-3/m-p/18595#M3345 <HTML><HEAD></HEAD><BODY><TABLE cellpadding="0" cellspacing="0"><TBODY><TR style="height: 180px;"><TD class="" style="border-left: 1px solid #f3f3f3; font-size: 11.2px; padding: 10px 0px 0px 6px; height: 180px;"><DIV class=""><DIV lang="EN-GB"><DIV class=""><P class="" style="font-size: 11pt; margin: 0cm 0cm 0.0001pt;">There is a Check Point cluster. Two 5200 series appliances.</P><P class="" style="font-size: 11pt; margin: 0cm 0cm 0.0001pt;">Three Internet services connected to the cluster, from the same ISP. They see three IP addresses (each cluster's Internet address for each link) with the same MAC address (checkpoint cluster's virtual mac). That causes their system to activate an antispoofing alert and it periodically blocks the traffic.</P><P class="" style="font-size: 11pt; margin: 0cm 0cm 0.0001pt;">Is there any way to set and independant VMACs?</P><P class="" style="font-size: 11pt; margin: 0cm 0cm 0.0001pt;">&nbsp;</P><P class="" style="font-size: 11pt; margin: 0cm 0cm 0.0001pt;">Thanks&nbsp;</P><P class="" style="font-size: 11pt; margin: 0cm 0cm 0.0001pt;"></P><P class="" style="font-size: 11pt; margin: 0cm 0cm 0.0001pt;"><SPAN lang="ES-AR">Best Regards.</SPAN></P></DIV></DIV></DIV></TD></TR></TBODY></TABLE></BODY></HTML> Wed, 21 Nov 2018 19:04:40 GMT https://community.checkpoint.com/t5/General-Topics/ISP-blocks-traffic-Their-anti-spoofing-system-Same-VMAC-for-3/m-p/18595#M3345 Diego_Javier_Me 2018-11-21T19:04:40Z https://community.checkpoint.com/t5/General-Topics/ISP-blocks-traffic-Their-anti-spoofing-system-Same-VMAC-for-3/m-p/18596#M3346 <HTML><HEAD></HEAD><BODY><P>I know many people don't want to hear this but with VRRP you can choose for Extended VMAC, which is a deviate of the IP address and will be different for each interface.</P></BODY></HTML> Wed, 21 Nov 2018 21:32:26 GMT https://community.checkpoint.com/t5/General-Topics/ISP-blocks-traffic-Their-anti-spoofing-system-Same-VMAC-for-3/m-p/18596#M3346 Maarten_Sjouw 2018-11-21T21:32:26Z https://community.checkpoint.com/t5/General-Topics/ISP-blocks-traffic-Their-anti-spoofing-system-Same-VMAC-for-3/m-p/18597#M3347 <HTML><HEAD></HEAD><BODY><P>Thanks. We finally disabled vmac option. And solved our problem.</P><P></P><P>Regards</P></BODY></HTML> Thu, 13 Dec 2018 16:33:56 GMT https://community.checkpoint.com/t5/General-Topics/ISP-blocks-traffic-Their-anti-spoofing-system-Same-VMAC-for-3/m-p/18597#M3347 Diego_Javier_Me 2018-12-13T16:33:56Z https://community.checkpoint.com/t5/General-Topics/ISP-blocks-traffic-Their-anti-spoofing-system-Same-VMAC-for-3/m-p/18598#M3348 <HTML><HEAD></HEAD><BODY><P>When employing ClusterXL HA, the "use VMAC" option is unchecked by default and my opinion is that it should be left that way if possible.&nbsp; Failovers will utilize the Gratuitous ARP mechanism when the VMAC box is unchecked, and that will usually work just fine in most networks.&nbsp; However if "slow" or incomplete failovers for all NAT addresses are encountered, VMAC can be enabled but it may honk of the switching infrastructure (and STP) in various ways as described above.&nbsp; At a minimum, make sure portfast is configured on the firewall's switchports if you plan to enable VMAC...</P><P></P><P>--<BR /> Second Edition of my "Max Power" Firewall Book<BR /> Now Available at <A href="http://www.maxpowerfirewalls.com" target="_blank">http://www.maxpowerfirewalls.com</A></P></BODY></HTML> Fri, 14 Dec 2018 13:25:13 GMT https://community.checkpoint.com/t5/General-Topics/ISP-blocks-traffic-Their-anti-spoofing-system-Same-VMAC-for-3/m-p/18598#M3348 Timothy_Hall 2018-12-14T13:25:13Z