Re: Anti-spoofing updating interfaces - lots of ch...

Rccou · ‎2020-03-03

I have a couple of situation where traffic is being dropped due to anti-spoofing. From what i read i should update the FW's sense of the network's topology by doing a "Get interfaces with topology". When i try and do this it takes about 20 minutes then presents me with over 500 changes. At that point i wimp out and press "cancel".

Is this because every route would have an entry? - I've got loads of OSPF routes and BGP un-aggregrated prefixes in my routing table.

If i try and install 500 changes is this ok? I worry that if it goes wrong or i am doing this wrong then 500 changes is a hell of a lot to walk back from.

G_W_Albrecht · ‎2020-03-03

I would ask TAC for help with this issues !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2020-03-03

It will create a bunch of objects and groups that represent every route in your routing table for internal networks, yes.

There is a feature in R80.20+ gateways that will allow the anti-spoofing to be configured automatically based on routing table.
Might be a good reason to upgrade if you haven't already.

RCCO · ‎2020-03-04

Thanks.

I'm currently on R80.30

At some point in the future i'll no longer have all the 100's of routes when we disconnect from a partner.... I might wait until then.

Are you a member of CheckMates?

Anti-spoofing updating interfaces - lots of changes