Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor

Management API Interface Anti-Spoofing

Hello,

When using management API v10.9 to disable anti-spoofing on an interface using the add simple-cluster or set simple-cluster endpoints,  setting anti-spoofing to false doesn't reflect as disabled in the interface Topology Settings on the object in Smart Console.  The setting 'Perform Anti-Spoofing based on interface topology' remains checked, with Anti-Spoofing action is set to Prevent and Spook Tracking set to Log. 

e.g. 

mgmt_cli -r true add simple-cluster name 'test-cluster' cluster-mode 'cluster-xl-ha' ip-address '99.99.99.99' version 'R81.20' hardware 'Open server' firewall true interfaces.1.name 'eth0' interfaces.1.interface-type 'cluster' interfaces.1.ip-address '172.18.0.69' interfaces.1.network-mask '255.255.255.192' interfaces.1.topology 'EXTERNAL' interfaces.1.anti-spoofing false
 
I can disable it globally on the gateway using  fw ctl set int fw_antispoofing_enabled 0The output of fw ctl get int fw_antispoofing_enabled is fw_antispoofing_enabled = 0. So I assume the kernel setting takes precedence over the specific interface settings on the management server. If this is the case, it would be better if the interface specific settings were greyed out. 
 
Regards,
Simon
0 Kudos
5 Replies
PhoneBoy
Admin
Admin

The anti-spoofing kernel variable is there to allow recovery from situations where anti-spoofing was misconfigured.
It is not meant to be a long-term setting, thus why there's no UI related to it in SmartConsole.

As for why the set-somple-cluster isn't setting anti-spoofing properly, any ideas @Omer_Kleinstern

0 Kudos
Bob_Zimmerman
Authority
Authority

I ran the exact 'add simple-cluster' command you posted on management API v1.8.1 (specifically, R81.10 jumbo 106), and the resulting cluster object had a single interface (eth0) set to External topology with antispoofing disabled. The GUI view of the object matches, and antispoofing is definitely disabled.

I don't have an API v1.9 system handy. If it definitely isn't working there, it may be worth trying with "external" in lowercase. That's how it is in the API's output, so maybe something became more case-sensitive?

0 Kudos
Simon_Macpherso
Advisor

Hi @Bob_Zimmerman 

I tried using lowercase 'internal' and 'external' but the the GUI view of the object does not matches, however antispoofing is disabled. 

eth0
VIP 172.18.0.10
IP 172.18.0.8
Mask 255.255.255.192
ANTISPOOFING ENABLED: false
ANTISPOOFING MODE: PREVENT
ANTISPOOFING TOPO: External
ADDRESS SPOOFING NETWORKS:
0.0.0.0, 126.255.255.255
128.0.0.0, 172.18.0.63
172.18.0.128, 223.255.255.255
240.0.0.0, 255.255.255.254

eth1
VIP 172.18.0.72
IP 172.18.0.73
Mask 255.255.255.192
ANTISPOOFING ENABLED: false
ANTISPOOFING MODE: PREVENT
ANTISPOOFING TOPO: Internal
ADDRESS SPOOFING NETWORKS:
172.18.0.64, 172.18.0.127 

0 Kudos
Bob_Zimmerman
Authority
Authority

In that case, it sounds like a SmartConsole issue rather than an API issue.

0 Kudos
Simon_Macpherso
Advisor

Yes, appears cosmetic. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events