This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
d8c70a99-a39f-4
Participant
‎2018-12-11 07:53 AM

Local interface address spoofing

Hi, 

Another tricky one to explain Smiley Sad

In Azure i use UDR to route traffic out of the cloudguard. 

I then have an LoadBalancer forwarding the traffic for its extrnal IP to the Cloudguard and then onto the internal zone on a VM.

When i try to connect to the loadbalancer external IP the cloudguard is blocking the connection due to Local interface address spoofing.

How can i get round this issue?

Thanks

3 Replies
Richard_Cove
Contributor
‎2018-12-11 05:32 PM

Probably routing issue, check your UDRs and have you added a route for the internal networks to Gaia?

Something like 

clish –C “set static-route 10.0.2.0/24 nexthop gateway address 10.0.1.1 on”

where 10.0.1.0/24 is the internal subnet

From sk115276

  • Local interface address spoofing drops indicate that the Security Gateway / Cluster member received a packet with a source IP address that belongs to one of the local interfaces on the Security Gateway / Cluster member.

  • Local interface address spoofing

    Understand why there is traffic with source IP address that belongs to one of the interfaces on the Security Gateway / Cluster member.

    Possible reasons:

    • Routing issue:

      The traffic is being returned to the Security Gateway / Cluster from the next hop.
      Traffic will be returned with a source IP address that belongs to the Security Gateway / Cluster.
0 Kudos
d8c70a99-a39f-4
Participant
‎2018-12-13 05:10 AM
In response to Richard_Cove

Ok, so i think i understand the problem, but not how to resolve. 

The issue i think is, that the outbound request from the the VM is routed out of the checkpoint which then hits the public IP of the Loadbalancer. The loadbalancer then NATs the requests back to the Cloudguard which then NAT's onto the destination VM (WebServer) which is also set to route all traffic out of the checkpoint.

So it think it this issue "Understand why there is traffic with source IP address that belongs to one of the interfaces on the Security Gateway / Cluster member."

Problem is how do i fix it? I want all traffic to be routed out of the checkpoint for all subnets, but also want to be able to NAT traffic from the loadbalancer to other endpoints via the checkpoint?

Help!

0 Kudos
Matthias_Haas
Advisor
‎2018-12-14 04:11 AM
In response to d8c70a99-a39f-4

Hi,

what do you mean by

<which then hits the public IP of the Loadbalancer ?

For outbound traffic, you have to NAT the Source IP into the Checkpoint GW IP which is used as the Backend Pool for the Loadbalancer. The Loadbalancer will then NAT the GW IP into the Public IP. (so do not NAT the internal IP into the Public IP on the FW, which you may have now)

Matthias

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events