This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alexander_Baue1
Contributor
‎2018-12-21 08:33 AM

Anti spoofing Yes or No

Hello together 
On many Labs as well for the CSSA Lab i have seen the configuration Example that allways onyl one Nework is connected to a seperate  Interface on the Firewall like the following Example.

Vlan 2 Network 10.2.1.0/24 default Gateway ist 10.2.1.254 Interface G0/1 on Firewall (DMZ1)
Vlan 3 Network 10.3.1.0/24 default Gateway ist 10.3.1.254 Interface G0/2 on Firewall (DMZ2)

Vlan 10 Network 10.10.1.0/24 default Gateway ist 10.10.1.254 Interface G0/0 on Firewall (Management)


The Physical Eviorment is a PC who have 8x Networks Port on it, (using Vmware Worksation, with Hostbased Connection to the Layer 3 Switch, ever Port is on a seperate Vlan, like VLAN2, 3 and 10.
The default Route on the Firewall is  0.0.0.0 0.0.0.0 to 192.168.1.1 Interface Outside Address from the ISP.
If I rember well until Anti Spoofing is enabled on the Managment Interface of the FIrewall he will only acept Traffic from this Network in this Exapmle 10.10.1.0/24 and not from the other Networks like 10.2.1.0/24 and 10.3.1.0/24.

No Traffic will go to the Internet or between the DMZ Networks, as well Antispoofing is disabel on the other Interaces.
On my Laver 3 Switch I have configure all SVI (Switch Virtuel Interfaces ) with x.x.x.253/24 who have a default Route to Managment Interface of the Firewall.
Maybe the Picture 1 on the Attachment explane the Situation easyer.
What is now the Question.
Can the Traffic only pass when Anispoffing is disable beween the DMZ and Managment Interfaces ?
Or is the Traffic blocked until the Objects (Networks) and Policys are in place?

Best regards
Alexander

Preview file
219 KB
3 Replies
Daniel_Taney
Advisor
‎2018-12-21 08:43 AM

One of the greatest new features in R80.20 is the ability to calculate the topology based on routing. I believe this *should* resolve issues with Anti-Spoofing like the scenario you described above. 

If you are running R80.20, you should be able to configure the topology using Network Defined By Routes and not run into issues. Others, please correct me if my understanding of this is incorrect!

R80 CCSA / CCSE
Vladimir
Champion
Champion
‎2018-12-21 10:57 AM

You can always use "Specific" in Antispoofing settings and define a group consisting of all the networks and objects that should communicate through the gateway.

You still have to define the rules permitting that traffic though, properly configured antispoofing settings simply allow it to be subjected to the security policy.

Alexander_Baue1
Contributor
‎2018-12-25 02:33 AM

Hello Daniel
This Networks are direct Connected, so I think there is no need for Routing Option ?.
Best regards
Alexander

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events