cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Show Address Spoofing Networks via CLI

This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.

 

Last version  - command:

 

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -ng| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

 

Now you can see the states of:

- ANTISPOOFING ENABLED

- ANTISPOOFING MODE

- ANTISPOOFING TOPO  

 

 

Old versions:

 

27.06.2018 change "|grep -o false" issue and add TOPO

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq` ]; then echo "PREVENT"; else echo "DETECT"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

30 Replies

Re: Show Address Spoofing Networks via CLI

Hi Heiko,

It's a very nice command.

Perhaps this can be extended even further:
ethtool settings - speed, duplex,... 

Re: Show Address Spoofing Networks via CLI

Nice command!

Silvia_Day
Nickel

Re: Show Address Spoofing Networks via CLI

Hi Heiko,

I've been looking for this for years.

Thanks, I'll give you a badge.

THX

Silvia

Re: Show Address Spoofing Networks via CLI

This one-liner is very helpful. Can you also add routes for the interface? This makes it easier to see which networks are missing.

Til_Hall
Ivory

Re: Show Address Spoofing Networks via CLI

Nice

Re: Show Address Spoofing Networks via CLI

Thanks to Danny Jung (One-liner for Address Spoofing Troubleshooting) for the inspiration and to Timothy Hall  (CLI Anti-Spoofing Information ) for the infos.

THX

Heiko

Re: Show Address Spoofing Networks via CLI

Is ist possible to add more interface settings:

- ethtool speed, duplex, driver,...

- routes

...

Re: Show Address Spoofing Networks via CLI

Nice!

Re: Show Address Spoofing Networks via CLI

Nice commandSmiley Happy.

Re: Show Address Spoofing Networks via CLI

LOL - Nice command.

Re: Show Address Spoofing Networks via CLI

Glad to see such a great tool.  Also wanted to mention this SK detailing a situation in which performing a "Get Interfaces WITHOUT Topology" will change the antispoofing state from Disabled to Enabled (with Prevent) on firewall interfaces!  Needless to say this can result in some unexpected issues:

sk136372: Get Interfaces without topology resets anti-spoofing to Enabled/Prevent

This may necessitate disabling gateway anti-spoofing enforcement "on the fly" as detailed in my presentation here:

Best of CheckMates CLI 

The fix for this issue was rolled into R80.10 GA Jumbo HFA 154:

R80.10: New Jumbo Hotfix (Take 154) GA-Release 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Show Address Spoofing Networks via CLI

Hey buddy. Was this tested with R77.30 as well or just R80.10? On one of my old clusters that runs R77.30 it returned ton of false results as it greps too far when looking for spoofing subnets. Maybe worth adding a note if it only works or was tested on R80.10 Smiley Happy Or even better, doesn't run on R77.30

To give you an example

but with the current command following 30 lines you will get 2 extra subnets reported:

reducing grep search to 25 lines helps but I'm not too sure how would it behave in case you had very long list of subnets Smiley Happy

might need to re-think the approach for filtering those subnets Smiley Happy

0 Kudos
Danny
Pearl

Re: Show Address Spoofing Networks via CLI

Did you test with this One-liner as well?

Re: Show Address Spoofing Networks via CLI

Also Mgmt interface may return a lot of rubbish as it may match string "Mgmt" in the file, it's a fairly common string

Better is to add leading bracket

0 Kudos

Re: Show Address Spoofing Networks via CLI

Much better! I though there was another one but this one came as top search... Smiley Happy

Highlighted
Danny
Pearl

Re: Show Address Spoofing Networks via CLI

Why searching when it‘s already integrated within our ccc script .


0 Kudos

Re: Show Address Spoofing Networks via CLI

I had it on some but not this particular cluster  

0 Kudos
Sven_Glock
Silver

Re: Show Address Spoofing Networks via CLI

Very nice one-liner! Thumbs up!

Is there a chace to move R&D to implement a simple command for this?

Re: Show Address Spoofing Networks via CLI

Great command, certainly very useful.

As an aside, can either this command be adapted, or is there an alternative for pulling this information from a VS or VR on VSX? I am right in thinking the local.set file contains only the interface configuration for the VSX GW and not the VRs or VSs.

Thanks,

Re: Show Address Spoofing Networks via CLI

Hi, I prefer using Danny Jung one-liner for getting spoofing info. So it will work on any VS as long as you set vsenv x environment beforehand manually

echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed 'N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed 'N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed 'N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed 'N;s/\nexternal false/ - Internal Interface/;P;D' | sed 'N;s/\nexternal true/ - External Interface/;P;D' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed 'N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'

0 Kudos

Re: Show Address Spoofing Networks via CLI

Thanks Kaspars.

I did have the vsenv set to the correct environment, but I was running Danny Jungs CCC script, and running the command through there, which must default to the VS 0.

Works a treat when ran directly. Thanks! Smiley Happy

Danny
Pearl

Re: Show Address Spoofing Networks via CLI

ccc introduced VSX-capabilities in v4.4 and allows for switching between the VS's in order to run commands in their specific VS-context.

Re: Show Address Spoofing Networks via CLI

Awesome!

0 Kudos

Re: Show Address Spoofing Networks via CLI

Coming soon!

0 Kudos

Re: Show Address Spoofing Networks via CLI

Helpful, thank you!

0 Kudos

Re: Show Address Spoofing Networks via CLI

Hello Heiko
Thank you for the command . can you also create a similar script for ipv6 objects
0 Kudos
Employee
Employee

Re: Show Address Spoofing Networks via CLI

This is an interesting one-liner. I think considering the length of this, it might be better to make it into a script. That way it can be aliased for people who want to use this often.

0 Kudos
Admin
Admin

Re: Show Address Spoofing Networks via CLI

I think the reason Heiko did it this way so it would be easy to cut/paste onto any system.
That said, I see benefit to it being a script.
0 Kudos
Employee
Employee

Re: Show Address Spoofing Networks via CLI

It would also gain the ability to adapt to where it is being run from if it was a script (some checks for VSX or any other system that we might need to treat differently). I'll play with this next week. 

0 Kudos