This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
WhOPP
Participant
‎2023-05-25 12:13 PM

Address spoofing

I have network with 2 gateways, one is CP other is Mikrotik.

Mikrotik is in its own vlan. No access to any part of CP network.

Network have about 50 vlans, intervlan routing is done by L3 switch. (no routing for mikrotiks vlan)

CP is GW for all networks accept for vlan of mikrotik.

Everything is working fine. I can not access mikrotik vlan form any  CP network and vice versa.

few days ago I found logs on CP:

 


Interface Direction: inbound
Interface Name: eth0
Id Generated By Indexer:false
First: true
Sequencenum: 4
Source: 10.20.0.89 (this is network, that is used for "Mikrotik network"
Source Port: 4500
Destination: x.x.x.x
Destination Port: 4500
IP Protocol: 17
Message Information: Address spoofing
Action: Detect
Type: Log
Blade: Firewall
Service: UDP/4500
Product Family: Access
Interface: eth0
Description: IKE_NAT_TRAVERSAL Traffic Detected from 10.20.0.89 to x.x.x.x

 

with x.x.x.x I hided public IP address of destination, but it is legit IP WAN address.

privat IP is allways the same (10.20.0.89) that is strange, because there was few same events in range of few days (DHCP leash time on Mikrotik is 1day and I do not use reservations)

 

Obviously I have some misconfiguration on network or someone is doing something bad on network.

I did try my best to repeat the event, but I cant find way to do it.

I couldn't  find it on Mikrotik DHCP log, since leash time released IP.

How can I find out what is going on? Few users have access to both networks, is it possible that Windows (or software) somehow route two networks together? Mikrotik is WiFi network.

I want to replicate this event, so I will know what is wrong and protect network.

Is this misconfiguration of the LAN, misconfiguration of endpoint PC or is someone really spoofing LAN address?

No other traffic is detected on CP from "Mikrotik network" only this IP and only IKE_NAT_TRAVERSAL.

 

0 Kudos
1 Reply
the_rock
Legend
Legend
‎2023-05-25 12:40 PM

I think below is the key.

Andy

https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...

 

Screenshot_1.png

 

I would do some packet captures to make sure flow of traffic is indeer correct.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events