Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

Anti-spoofing updating interfaces - lots of changes

I have a couple of situation where traffic is being dropped due to anti-spoofing.  From what i read i should update the FW's sense of the network's topology by doing a "Get interfaces with topology".  When i try and do this it takes about 20 minutes then presents me with over 500 changes.  At that point i wimp out and press "cancel".

Is this because every route would have an entry? - I've got loads of OSPF routes and BGP un-aggregrated prefixes in my routing table.

If i try and install 500 changes is this ok?  I worry that if it goes wrong or i am doing this wrong then 500 changes is a hell of a lot to walk back from.

0 Kudos
3 Replies
Sapphire

I would ask TAC for help with this issues !

0 Kudos
Highlighted
Admin
Admin

It will create a bunch of objects and groups that represent every route in your routing table for internal networks, yes.

There is a feature in R80.20+ gateways that will allow the anti-spoofing to be configured automatically based on routing table.
Might be a good reason to upgrade if you haven't already.
0 Kudos
Highlighted
Iron

Thanks.

I'm currently on R80.30

At some point in the future i'll no longer have all the 100's of routes when we disconnect from a partner.... I might wait until then.  

<taking the low-risk option...>

0 Kudos