cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Internal firewall anti-spoofing

Jump to solution

I have 2 networks separated by a firewall and then a internet facing firewall. I am getting anti-spoofing alerts on traffic passing through my internal firewall from the internet.

Topology looks something like this

Network-A >>> InternalFW >>>> Network-B >>>>> internetFW >>>>>> Internet

On the Network-B facing interfaces on both firewalls I have only my Network-B networks defined in the topology. I assume on the InternalFW I need to add the internet to the topology on the interface connected to Network-B? 

To not mess up anti-spoofing on the internetFW I assume I would create separate network groups for my topology on the internal and internet firewalls?

Thank you for any advice you can give.

0 Kudos
1 Solution

Accepted Solutions
Admin
Admin

Re: Internal firewall anti-spoofing

Jump to solution
"Internet" means "anything not defined on the other interfaces" so you do not need to include Network-B nets there.
0 Kudos
5 Replies
Admin
Admin

Re: Internal firewall anti-spoofing

Jump to solution
You are correct, topology for InternalFW's interface on Network-B should be Internet.
For InternetFW, the topology for the interface on Network-B should also include Network-A.

Re: Internal firewall anti-spoofing

Jump to solution

So before I make any changes the topology would look like ...

InternalFW Network-B side, (Network-B nets, Internet)

InternetFW Network-B side, (Network-A nets, Network-B nets)

 

Thank you,

0 Kudos
Admin
Admin

Re: Internal firewall anti-spoofing

Jump to solution
"Internet" means "anything not defined on the other interfaces" so you do not need to include Network-B nets there.
0 Kudos

Re: Internal firewall anti-spoofing

Jump to solution

So does that mean the interface on the internal FW going to network B is essentially an internal and external interface? In this circumstance, is there even a need for a dedicated external interface? 

0 Kudos
Admin
Admin

Re: Internal firewall anti-spoofing

Jump to solution
Even if not directly connected to the Internet, if the Internet can potentially be reached through an interface, it should be marked as external.
0 Kudos