cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Tomas_S_
Iron

Disable "Local interface address spoofing"

Jump to solution

Hello,

we have a setup, where all the traffic is mirrored to the Checkpoint 5800 (via SPAN port).

Management and mirrored traffic interfaces both have "Anti Spoofing: Disabled",

however, since CP receives mirror of all the traffic (including one from its management interface), logs are filled with

message_info:"Local interface address spoofing" messages

(the MAC address of the mirrored packet is that of the router, not CP device).

How can we disable check for "Local interface address spoofing"?

Running R80.20.

1 Solution

Accepted Solutions

Re: Disable "Local interface address spoofing"

Jump to solution

fw ctl set int fw_local_interface_anti_spoofing 0

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
5 Replies
Danny
Jade

Re: Disable "Local interface address spoofing"

Jump to solution

In SmartLog, just enter. not spoofing

0 Kudos
Tomas_S_
Iron

Re: Disable "Local interface address spoofing"

Jump to solution

Wouldn't that only filter output in the view?

We are using cp_log_export, to export logs via syslog, and these are flooded with 

---

2018-11-07T11:49:58+02:00 local0.info 11.11.11.11 1: 2018-11-07T09:49:54Z ids-n2 CheckPoint 29740 - [action:"Drop"; alert:"alert"; flags:"401408"; ifdir:"inbound"; ifname:"eth1-01"; loguid:"{0x0,0x0,0x0,0x0}"; origin:"11.11.11.11"; originsicname:"cn=cp_mgmt,o=ids-n2.xx.xx.fpp84p"; sequencenum:"530"; time:"1541584194"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={637D2E66-C60F-4646-BD66-FDB8148F5F42};mgmt=ids-n2;date=1541582377;policy_name=Standard\]"; dst:"23.60.24.21"; message_info:"Local interface address spoofing"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38149"; service:"80"; src:"11.11.11.11"; ] 

...

---

messages

0 Kudos

Re: Disable "Local interface address spoofing"

Jump to solution

fw ctl set int fw_local_interface_anti_spoofing 0

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Tomas_S_
Iron

Re: Disable "Local interface address spoofing"

Jump to solution

Operation succeded, but messages "Local interface address spoofing" still pour to the fw.log.

# fw ctl set int fw_local_interface_anti_spoofing 0
Set operation succeeded

# fw ctl get int fw_local_interface_anti_spoofing
fw_local_interface_anti_spoofing = 0

# sim feature anti_spoofing off; fwaccel off; fwaccel on

Command 'sim feature' has been replaced. Use 'fwaccel feature' instead.

SecureXL device disabled.

# fwaccel feature anti_spoofing off
Invalid feature 'anti_spoofing'
Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

I've also set:

# fw ctl set int fw_antispoofing_enabled = 0

0 Kudos
Tomas_S_
Iron

Re: Disable "Local interface address spoofing"

Jump to solution

After checkpoint reboot the issue is solved: there is no longer spoofing messages in the logs.

Thank You