Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alexander_Baue1
Contributor

Anti spoofing Yes or No

Hello together 
On many Labs as well for the CSSA Lab i have seen the configuration Example that allways onyl one Nework is connected to a seperate  Interface on the Firewall like the following Example.

Vlan 2 Network 10.2.1.0/24 default Gateway ist 10.2.1.254 Interface G0/1 on Firewall (DMZ1)
Vlan 3 Network 10.3.1.0/24 default Gateway ist 10.3.1.254 Interface G0/2 on Firewall (DMZ2)

Vlan 10 Network 10.10.1.0/24 default Gateway ist 10.10.1.254 Interface G0/0 on Firewall (Management)


The Physical Eviorment is a PC who have 8x Networks Port on it, (using Vmware Worksation, with Hostbased Connection to the Layer 3 Switch, ever Port is on a seperate Vlan, like VLAN2, 3 and 10.
The default Route on the Firewall is  0.0.0.0 0.0.0.0 to 192.168.1.1 Interface Outside Address from the ISP.
If I rember well until Anti Spoofing is enabled on the Managment Interface of the FIrewall he will only acept Traffic from this Network in this Exapmle 10.10.1.0/24 and not from the other Networks like 10.2.1.0/24 and 10.3.1.0/24.

No Traffic will go to the Internet or between the DMZ Networks, as well Antispoofing is disabel on the other Interaces.
On my Laver 3 Switch I have configure all SVI (Switch Virtuel Interfaces ) with x.x.x.253/24 who have a default Route to Managment Interface of the Firewall.
Maybe the Picture 1 on the Attachment explane the Situation easyer.
What is now the Question.
Can the Traffic only pass when Anispoffing is disable beween the DMZ and Managment Interfaces ?
Or is the Traffic blocked until the Objects (Networks) and Policys are in place?

Best regards
Alexander

3 Replies
Daniel_Taney
Advisor

One of the greatest new features in R80.20 is the ability to calculate the topology based on routing. I believe this *should* resolve issues with Anti-Spoofing like the scenario you described above. 

If you are running R80.20, you should be able to configure the topology using Network Defined By Routes and not run into issues. Others, please correct me if my understanding of this is incorrect!

R80 CCSA / CCSE
Vladimir
Champion
Champion

You can always use "Specific" in Antispoofing settings and define a group consisting of all the networks and objects that should communicate through the gateway.

You still have to define the rules permitting that traffic though, properly configured antispoofing settings simply allow it to be subjected to the security policy.

Alexander_Baue1
Contributor

Hello Daniel
This Networks are direct Connected, so I think there is no need for Routing Option ?.
Best regards
Alexander

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events