cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Bryce_Myers
Nickel

CLI Anti-Spoofing Information

Jump to solution

Does anyone know of a way to see your anti-spoofing configuration per interface on the CLI?

Basically --

  • Anti-Spoofing is Enabled (y/n)
  • Anti-Spoofing Action (Detect/Prevent)
0 Kudos
1 Solution

Accepted Solutions

Re: CLI Anti-Spoofing Information

Jump to solution

Look at this article:

Show Address Spoofing Networks via CLI  

Regards

Heiko

13 Replies

Re: CLI Anti-Spoofing Information

Jump to solution

Hello for each interface in the topology you can set the anti-spoofing.

0 Kudos
Bryce_Myers
Nickel

Re: CLI Anti-Spoofing Information

Jump to solution

Yes - I know it can be done in the GUI.

I want to know if anyone has found a way to check it on the local gateway.  The GUI is currently very time consuming to audit, but scripting to gateways is very simple.

I'm guessing since its part of the policy, it won't be super easy to find on the local gateway.

0 Kudos
Highlighted

Re: CLI Anti-Spoofing Information

Jump to solution

Hello Bryce I think this info should be useful

 

fw ctl set int fw_antispoofing_enabled 0
sim feature anti_spoofing off ; fwaccel off ; fwaccel on

 

fw ctl set int fw_antispoofing_enabled 1
sim feature anti_spoofing on ; fwaccel off ; fwaccel on

This was posted on the https://community.checkpoint.com/thread/5319-my-top-3-check-point-cli-commands 

Bryce_Myers
Nickel

Re: CLI Anti-Spoofing Information

Jump to solution

Isn't that just a global anti-spoofing setting?  I can't tell what the configuration per interface is.

0 Kudos

Re: CLI Anti-Spoofing Information

Jump to solution

Hello Pablo,

How can we disable anti spoofing from command line in R80.20?

In R80.20 GA the following command has been removed:

   sim feature anti_spoofing off

[Expert@pa:0]# sim feature anti_spoofing off

        Command 'sim feature' has been replaced. Use 'fwaccel feature' instead.

[Expert@pa:0]# fwaccel feature anti_spoofing off    
Invalid feature 'anti_spoofing'
Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

Any suggestions?

Many thanks.

Kind regards,

Kris

Re: CLI Anti-Spoofing Information

Jump to solution

Firewall CLI or R80+ SMS CLI?

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Bryce_Myers
Nickel

Re: CLI Anti-Spoofing Information

Jump to solution

Firewall CLI at the moment.

0 Kudos

Re: CLI Anti-Spoofing Information

Jump to solution

I don't think there is a direct way to pull this info from the running firewall kernel (I originally thought it could be provided by the sim ranges command), but what you can do is first run fw ctl iflist on the firewall to get the list of interfaces, and then view (not edit!) the firewall's $FWDIR/state/local/FW1/local.set file.  In that file you will find a section called "if_info" and under that "objtype (gw)" and then an indented list of firewall interfaces.  Under each firewall interface you will see two values:

has_addr_info (true|false)

   true: antispoofing enabled on that interface

   false: antispoofing is disabled on that interface


monitor_only (true|false)

   true: antispoofing action is Detect on that interface

   false: antispoofing action is Prevent on that interface

I'm sure someone could script something to pull this info out of the file a bit easier...

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Bryce_Myers
Nickel

Re: CLI Anti-Spoofing Information

Jump to solution

Tim - this is great information!  I'm going to build a script to check for these settings on the gateway.

0 Kudos
Admin
Admin

Re: CLI Anti-Spoofing Information

Jump to solution

Looking on my R80.10 gateway, for each interface, I also see interface_topology which tells you what subnets are "valid" on a given interface (assuming that's useful to your task).

0 Kudos

Re: CLI Anti-Spoofing Information

Jump to solution

Yep that same $FWDIR/state/local/FW1/local.set on the firewall does show the calculated network topology for each interface as well as the anti-spoofing settings.  Could definitely be handy if there are lots of nested groups specified in the anti-spoofing settings that makes figuring out the actual topology (and resulting anti-spoofing enforcement) difficult from the SmartDashboard/SmartConsole.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: CLI Anti-Spoofing Information

Jump to solution

Look at this article:

Show Address Spoofing Networks via CLI  

Regards

Heiko

Bryce_Myers
Nickel

Re: CLI Anti-Spoofing Information

Jump to solution

I think there is an opportunity to leverage GUIDBedit from the management CLI to look at the policy, but even if its changed in the policy - if it hasn't been deployed, the gateway doesn't actually have the anti-spoofing settings.

0 Kudos