This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ruan_Kotze
Advisor
‎2020-05-13 11:52 PM

Some office mode traffic dropped due to anti spoof

Hi All,

I have a scenario whereby only some traffic from office mode IP's is being dropped by antispoof.

Symptoms:

Some connection from the client works fine, e.g. DNS traffic, https intranet etc.  Some traffic however is being dropped, with anti spoofing on the external interface given as the reason.  Specifically, the traffic being dropped is RADmin.  The other observation is that all allowed traffic shows up as being encrypted in the RemoteAccess community, whereas the dropped traffic does not.  In all cases the source IP is the same.  All was working until about two weeks ago, with no apparent changes done.

 What I have verified:

  • Back Connections enabled
  • NAT disabled to / from Office mode IPs
  • Office-Mode anti spoofing enabled
  • Office-mode IPs are excluded from external interface anti spoof

The one red flag is that for this specific user the gateway is handing out an IP address that is included in the gateway's encryption domain (via ipassignment.conf).

Environment is running R80.30 take 191.

Any pointers would be appreciated.

Ruan

 

 

0 Kudos
8 Replies
Timothy_Hall
Champion
Champion
‎2020-05-14 07:06 AM

Office Mode addresses assigned to Remote Access clients should not appear in the VPN Domain of the firewall.  However you can work around this by going to the Topology Settings screen of the external interface, checking the Antispoofing box "Don't check packets from", and then put in the Office Mode IP block(s).

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
0 Kudos
Ruan_Kotze
Advisor
‎2020-05-14 08:36 AM
In response to Timothy_Hall

Hi Timothy,

Thanks for your response, very satisfied buyer of both your books! 

We did exclude the OM IP's on the external interface.  The intriguing thing is that only *some* traffic from the client is dropped.

Regards,
Ruan

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-05-14 08:39 AM
In response to Ruan_Kotze

Please provide the redacted log card, is it inbound antispoofing or outbound antispoofing that is dropping it?

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
0 Kudos
Ruan_Kotze
Advisor
‎2020-05-18 02:42 AM
In response to Timothy_Hall

Hi Timothy,

Apologies for the delayed response.

It's inbound antispoofing that's dropping the traffic, on the external interface of the gateway.  Host 172.16.100.109 is the OM IP, 172.16.200.222 is the internal host.

The traffic that is being dropped by AS is replies to traffic originating from inside.  If I do a unsolicited connection from the OM IP to inside, it works fine.

Below is one of the AS logs:

Time:                    2020-05-18T07:26:39Z

Interface Direction:     inbound

Interface Name:          eth7

Id Generated By Indexer: false

First:                   true

Sequencenum:             245

Source:                  172.16.100.109

Source Port:             4899

Destination:             172.16.200.222

Destination Port:        53637

IP Protocol:             6

Message Information:     Address spoofing

Session ID:              0

Destination Machine Name:172.16.200.222

Action:                  Drop

Type:                    Log

Policy Date:             2020-05-18T07:12:00Z

Blade:                   Firewall

Origin:                  xxxx

Service:                 TCP/53637

Product Family:          Access

Interface:               eth7

Description:             TCP/53637 Traffic Dropped from xxxx (172.16.100.109) to xxxx (172.16.200.222)

Thanks,
Ruan

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-05-18 08:21 AM
In response to Ruan_Kotze

Do you have an automatic Hide NAT defined for the 172.16.100.0/24 object or whatever the OM IP range is?

I'm suspecting you may have something else wrong that is keeping this specific connectivity from working beyond just your antispoofing drops, which may only be a symptom.  If you disable gateway antispoofing enforcement "on the fly" as detailed in the article below, do those connections start working?  My guess is they won't...

https://community.checkpoint.com/t5/Access-Control-Products/can-anyone-tell-me-the-correct-command-t...

 

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
0 Kudos
Ruan_Kotze
Advisor
‎2020-05-18 08:46 AM
In response to Timothy_Hall

Hi Timothy,

No NAT taking place to / from OM ranges, verified this multiple times.  

If I disable anti-spoofing on either the external interface or even just within the cluster object's VPN clients settings traffic flows normally and as expected (disabling either one of the two causes traffic to flow).

Has to be said, I've implemented this multiple times without issue, and I also did a similiar test in my lab over the weekend just to see if it's perhaps an issue with Take 191 - but worked perfectly.  Will escalate to TAC tomorrow.

Thanks for taking the time to respond, much appreciated!

Thanks,
Ruan

0 Kudos
Juan_
Collaborator
‎2020-07-01 09:23 AM
In response to Ruan_Kotze

Hi Ruan,

I'm facing something similar. What was the fix for you in the end?

Regards
0 Kudos
Ruan_Kotze
Advisor
‎2020-07-01 10:48 PM
In response to Juan_

It boiled down to two things for us, either disable anti-spoofing on in the cluster object's VPN clients settings or hand out a OM IP range that did not overlap with the encryption domain. We changed the OM IP range, that seemed the better way to go long-term.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫