Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dor_Marcovitch
Advisor

Dynamic Routing Anti Spoofing

hey

1) how can you enforce AntiSpoofing on interfaces that learn routes from dynamic protocol  (OSPF / RIP )?

2) i also have one network which is directlry connected to the FW and in a DR scenario someone will shut the interface and this network will failover to the DR so i need the FW to be updated acordingly with the anti-spoofing configuration

FW Version is R77.30

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Antispoofing based on dynamic routing configuration is something that is planned for a later release.

Any updates to the anti-spoofing configuration could be scripted (with the R80.10 API or even with dbedit) but a policy installation is required for it to take effect.

scottikon
Contributor

Is there any more update on this topic? I am struggling to find much information.

 

Thanks

0 Kudos
Bryce_Myers
Collaborator

If you are running 80.20 gateway and management you should be able to select "Network Defined by Routes". I haven't tested this in my environment dynamic routing.
0 Kudos
scottikon
Contributor

Thank you, 

That is an option we can look to test for one of the interfaces. The other interface is defined as external so I don't have that option. 

0 Kudos
scottikon
Contributor

Thank you. 

This is something we can try on one of our interfaces that is used for BGP. 

The second interface we have is configured as External topology so we don't have the option to select "networks defined by routes". 

We will just have to create a group and manually update that when we know of new subnets that are to be advertised to us. 

Thanks

0 Kudos
Maarten_Sjouw
Champion
Champion

I think you should ask yourself the question here, why are you using External on that interface if you still need to Anti-Spoofing?
In fact an interface set to external with enabled Anti-Spoofing will just use a scheme that says: anything is allowed that is not defined by all other (non External) interfaces.
Regards, Maarten
Bryce_Myers
Collaborator

I would agree with Maarten -- You really shouldn't have to define a custom group if you are defining it as an external interface.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events