Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Show Address Spoofing Networks via CLI

This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.

 

Last version  - command:

 

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -ng| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

 

Now you can see the states of:

- ANTISPOOFING ENABLED

- ANTISPOOFING MODE

- ANTISPOOFING TOPO  

 

 

Old versions:

 

27.06.2018 change "|grep -o false" issue and add TOPO

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq` ]; then echo "PREVENT"; else echo "DETECT"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

34 Replies
Highlighted

Hi Heiko,

It's a very nice command.

Perhaps this can be extended even further:
ethtool settings - speed, duplex,... 

Highlighted

Nice command!

Highlighted
Nickel

Hi Heiko,

I've been looking for this for years.

Thanks, I'll give you a badge.

THX

Silvia

Highlighted

This one-liner is very helpful. Can you also add routes for the interface? This makes it easier to see which networks are missing.

Highlighted
Ivory

Nice

Highlighted

Thanks to Danny Jung (One-liner for Address Spoofing Troubleshooting) for the inspiration and to Timothy Hall  (CLI Anti-Spoofing Information ) for the infos.

THX

Heiko

Highlighted

Is ist possible to add more interface settings:

- ethtool speed, duplex, driver,...

- routes

...

Highlighted

Nice!

Highlighted

Nice commandSmiley Happy.

Highlighted

LOL - Nice command.

Highlighted

Glad to see such a great tool.  Also wanted to mention this SK detailing a situation in which performing a "Get Interfaces WITHOUT Topology" will change the antispoofing state from Disabled to Enabled (with Prevent) on firewall interfaces!  Needless to say this can result in some unexpected issues:

sk136372: Get Interfaces without topology resets anti-spoofing to Enabled/Prevent

This may necessitate disabling gateway anti-spoofing enforcement "on the fly" as detailed in my presentation here:

Best of CheckMates CLI 

The fix for this issue was rolled into R80.10 GA Jumbo HFA 154:

R80.10: New Jumbo Hotfix (Take 154) GA-Release 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted

Hey buddy. Was this tested with R77.30 as well or just R80.10? On one of my old clusters that runs R77.30 it returned ton of false results as it greps too far when looking for spoofing subnets. Maybe worth adding a note if it only works or was tested on R80.10 Smiley Happy Or even better, doesn't run on R77.30

To give you an example

but with the current command following 30 lines you will get 2 extra subnets reported:

reducing grep search to 25 lines helps but I'm not too sure how would it behave in case you had very long list of subnets Smiley Happy

might need to re-think the approach for filtering those subnets Smiley Happy

0 Kudos
Highlighted

Also Mgmt interface may return a lot of rubbish as it may match string "Mgmt" in the file, it's a fairly common string

Better is to add leading bracket

0 Kudos
Highlighted

Much better! I though there was another one but this one came as top search... Smiley Happy

Highlighted

I had it on some but not this particular cluster  

0 Kudos
Highlighted
Silver

Very nice one-liner! Thumbs up!

Is there a chace to move R&D to implement a simple command for this?

Highlighted

Great command, certainly very useful.

As an aside, can either this command be adapted, or is there an alternative for pulling this information from a VS or VR on VSX? I am right in thinking the local.set file contains only the interface configuration for the VSX GW and not the VRs or VSs.

Thanks,

Highlighted

Hi, I prefer using Danny Jung one-liner for getting spoofing info. So it will work on any VS as long as you set vsenv x environment beforehand manually

echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed 'N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed 'N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed 'N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed 'N;s/\nexternal false/ - Internal Interface/;P;D' | sed 'N;s/\nexternal true/ - External Interface/;P;D' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed 'N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'

Highlighted

Thanks Kaspars.

I did have the vsenv set to the correct environment, but I was running Danny Jungs CCC script, and running the command through there, which must default to the VS 0.

Works a treat when ran directly. Thanks! Smiley Happy

Highlighted

Awesome!

0 Kudos
Highlighted

Coming soon!

0 Kudos
Highlighted

Helpful, thank you!

0 Kudos
Highlighted

Hello Heiko
Thank you for the command . can you also create a similar script for ipv6 objects
0 Kudos
Highlighted
Employee
Employee

This is an interesting one-liner. I think considering the length of this, it might be better to make it into a script. That way it can be aliased for people who want to use this often.

0 Kudos
Highlighted
Admin
Admin

I think the reason Heiko did it this way so it would be easy to cut/paste onto any system.
That said, I see benefit to it being a script.
0 Kudos
Highlighted
Employee
Employee

It would also gain the ability to adapt to where it is being run from if it was a script (some checks for VSX or any other system that we might need to treat differently). I'll play with this next week. 

0 Kudos
Highlighted

I've modified slightly to improve internal code styling (consistent use of spaces in pipelines, for example) and to improve code correctness (I have an incredibly weird firewall which hits basically every edge case ever; this version works on it). One specific correctness change I made was wrapping the "VIP" section in a test to see if we're on a cluster in the first place. That whole line should now be silently omitted when run on a non-clustered firewall.

The other big one relates to the awk nightmare in the middle. The problem I ran into is $FWDIR/state/local/FW1/local.set contains data for both members of a cluster, not just the member you're on. Rather than dumping the contents and parsing them repeatedly, I try to get just the lines for the interface we want, and just on the member we're running on. My awk-fu is weak, so I'm sure that expression's correctness can be improved. Still, it's a bit better than just deduplicating, since interfaces can have different exact configuration. This is the expression I was playing with before I had to put this down for a while:

awk "/^: \(@$/,(/^: \([^\)]+$/ && ! /^: \(@$/)" $FWDIR/state/local/FW1/local.set

It returns both instances of the interface from the local.set file, and I'm not sure yet how to filter it to just the one I want.

Here is my modified version of the whole script as a one-liner:

interfaceAddress="";interfaceData="";ifconfig -a | grep -B 1 inet | grep encap | awk '{print $1}' | grep -v lo | grep -v ":" | xargs -I @ sh -c 'echo @;if [ $(cpprod_util FwIsHighAvail) -ne 0 ]; then printf " VIP %s\n" $(cphaprob -a if | egrep "^@ +[0-9]" | awk "{print $2}");fi;interfaceAddress=$(ifconfig "@" | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1);printf " IP %s\n" $interfaceAddress;printf " Mask %s\n" $(ifconfig "@" | sed -rn "2s/ .*:(.*)$/\1/p");interfaceData=$(awk "/^:ipaddr \(${interfaceAddress}\)/,/^:mss_value \([0-9]+\)/" $FWDIR/state/local/FW1/local.set);echo -en " ANTISPOOFING ENABLED:\t";echo "${interfaceData}" | grep has_addr_info | cut -c17- | tr \) " ";echo -en " ANTISPOOFING MODE:\t";echo "${interfaceData}" | grep monitor_only | grep false > /dev/null;if [ "$?" -eq 0 ];then echo "Prevent";else echo "Detect";fi;echo -en " ANTISPOOFING TOPO:\t";echo "${interfaceData}" | grep external | grep true > /dev/null;if [ "$?" -eq 0 ];then echo "External";else echo "Internal";fi;echo " ADDRESS SPOOFING NETWORKS:";echo "${interfaceData}" | grep ": (\"" | sort -ng | uniq | tr \(\)\<\>\:\" \ ;echo ""'

 

The attached text file is the same script broken out into many lines to make the internal logic flow more obvious.

0 Kudos
Highlighted


Thanks for this command. I added this into a script file and changed the following:

ifconfig -a $1

So it's also possible to only get the Output on a specified interface, for example "scriptname eth1"

--------------------------------------------------------------------------------------------------

more $FWDIR/state/local/FW1/local.set | grep -A 30 \(%

Added \( before %, because there were strange outputs on the Sync and Mgmt Interfaces

Here is the one liner again to insert into a script or run as command by changing $1 (at the beginning) to the specified interface:


ifconfig -a $1|grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 \(% | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 \(% | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 \(% | grep external | cut -c12- | tr \) " " |sort -ng| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 \(%|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

0 Kudos
Highlighted

Is there a best practice/admin guide around anti-spoofing?

It has been a thorn in my side ever since taking on the firewalls a few years ago.  Invariably, it would start blocking traffic and we'd just have to turn it off.  And that doesn't thrill me any.

I'd like to get it fixed and fixed correctly in the coming year.

0 Kudos