cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Show Address Spoofing Networks via CLI

This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.

 

Last version  - command:

 

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*Smiley Sad.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -ng| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

 

Now you can see the states of:

- ANTISPOOFING ENABLED

- ANTISPOOFING MODE

- ANTISPOOFING TOPO  

 

 

Old versions:

 

27.06.2018 change "|grep -o false" issue and add TOPO

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*Smiley Sad.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq` ]; then echo "PREVENT"; else echo "DETECT"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

25 Replies

Re: Show Address Spoofing Networks via CLI

Hi Heiko,

It's a very nice command.

Perhaps this can be extended even further:
ethtool settings - speed, duplex,... 

Re: Show Address Spoofing Networks via CLI

Nice command!

Silvia_Day
Nickel

Re: Show Address Spoofing Networks via CLI

Hi Heiko,

I've been looking for this for years.

Thanks, I'll give you a badge.

THX

Silvia

Re: Show Address Spoofing Networks via CLI

This one-liner is very helpful. Can you also add routes for the interface? This makes it easier to see which networks are missing.

Til_Hall
Ivory

Re: Show Address Spoofing Networks via CLI

Nice

Re: Show Address Spoofing Networks via CLI

Thanks to Danny Jung (One-liner for Address Spoofing Troubleshooting) for the inspiration and to Timothy Hall  (CLI Anti-Spoofing Information ) for the infos.

THX

Heiko

Re: Show Address Spoofing Networks via CLI

Is ist possible to add more interface settings:

- ethtool speed, duplex, driver,...

- routes

...

Regi_Suhm
Ivory

Re: Show Address Spoofing Networks via CLI

Nice!

Re: Show Address Spoofing Networks via CLI

Nice commandSmiley Happy.

Re: Show Address Spoofing Networks via CLI

LOL - Nice command.

Re: Show Address Spoofing Networks via CLI

Glad to see such a great tool.  Also wanted to mention this SK detailing a situation in which performing a "Get Interfaces WITHOUT Topology" will change the antispoofing state from Disabled to Enabled (with Prevent) on firewall interfaces!  Needless to say this can result in some unexpected issues:

sk136372: Get Interfaces without topology resets anti-spoofing to Enabled/Prevent

This may necessitate disabling gateway anti-spoofing enforcement "on the fly" as detailed in my presentation here:

Best of CheckMates CLI 

The fix for this issue was rolled into R80.10 GA Jumbo HFA 154:

R80.10: New Jumbo Hotfix (Take 154) GA-Release 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Show Address Spoofing Networks via CLI

Hey buddy. Was this tested with R77.30 as well or just R80.10? On one of my old clusters that runs R77.30 it returned ton of false results as it greps too far when looking for spoofing subnets. Maybe worth adding a note if it only works or was tested on R80.10 Smiley Happy Or even better, doesn't run on R77.30

To give you an example

but with the current command following 30 lines you will get 2 extra subnets reported:

reducing grep search to 25 lines helps but I'm not too sure how would it behave in case you had very long list of subnets Smiley Happy

might need to re-think the approach for filtering those subnets Smiley Happy

0 Kudos
Danny
Jade

Re: Show Address Spoofing Networks via CLI

Did you test with this One-liner as well?

Re: Show Address Spoofing Networks via CLI

Also Mgmt interface may return a lot of rubbish as it may match string "Mgmt" in the file, it's a fairly common string

Better is to add leading bracket

0 Kudos

Re: Show Address Spoofing Networks via CLI

Much better! I though there was another one but this one came as top search... Smiley Happy

Danny
Jade

Re: Show Address Spoofing Networks via CLI

Why searching when it‘s already integrated within our ccc script .


0 Kudos

Re: Show Address Spoofing Networks via CLI

I had it on some but not this particular cluster  

0 Kudos
Sven_Glock
Silver

Re: Show Address Spoofing Networks via CLI

Very nice one-liner! Thumbs up!

Is there a chace to move R&D to implement a simple command for this?

Re: Show Address Spoofing Networks via CLI

Great command, certainly very useful.

As an aside, can either this command be adapted, or is there an alternative for pulling this information from a VS or VR on VSX? I am right in thinking the local.set file contains only the interface configuration for the VSX GW and not the VRs or VSs.

Thanks,

Re: Show Address Spoofing Networks via CLI

Hi, I prefer using Danny Jung one-liner for getting spoofing info. So it will work on any VS as long as you set vsenv x environment beforehand manually

echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed 'N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed 'N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed 'N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed 'N;s/\nexternal false/ - Internal Interface/;P;D' | sed 'N;s/\nexternal true/ - External Interface/;P;D' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed 'N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'

0 Kudos

Re: Show Address Spoofing Networks via CLI

Thanks Kaspars.

I did have the vsenv set to the correct environment, but I was running Danny Jungs CCC script, and running the command through there, which must default to the VS 0.

Works a treat when ran directly. Thanks! Smiley Happy

Danny
Jade

Re: Show Address Spoofing Networks via CLI

ccc v4.1 will add VSX-capabilities and allow for switching between the VS's in order to run commands in their specific VS-context. I was already aware of the current VS0 limitation. Now that I see that there is more public demand for context-aware commands I'll put more efforts into it.

Re: Show Address Spoofing Networks via CLI

Awesome!

0 Kudos

Re: Show Address Spoofing Networks via CLI

Coming soon!

0 Kudos

Re: Show Address Spoofing Networks via CLI

Helpful, thank you!

0 Kudos