Create a Post
Showing results for 
Search instead for 
Did you mean: 

Anti spoofing Yes or No

Hello together 
On many Labs as well for the CSSA Lab i have seen the configuration Example that allways onyl one Nework is connected to a seperate  Interface on the Firewall like the following Example.

Vlan 2 Network default Gateway ist Interface G0/1 on Firewall (DMZ1)
Vlan 3 Network default Gateway ist Interface G0/2 on Firewall (DMZ2)

Vlan 10 Network default Gateway ist Interface G0/0 on Firewall (Management)

The Physical Eviorment is a PC who have 8x Networks Port on it, (using Vmware Worksation, with Hostbased Connection to the Layer 3 Switch, ever Port is on a seperate Vlan, like VLAN2, 3 and 10.
The default Route on the Firewall is to Interface Outside Address from the ISP.
If I rember well until Anti Spoofing is enabled on the Managment Interface of the FIrewall he will only acept Traffic from this Network in this Exapmle and not from the other Networks like and

No Traffic will go to the Internet or between the DMZ Networks, as well Antispoofing is disabel on the other Interaces.
On my Laver 3 Switch I have configure all SVI (Switch Virtuel Interfaces ) with x.x.x.253/24 who have a default Route to Managment Interface of the Firewall.
Maybe the Picture 1 on the Attachment explane the Situation easyer.
What is now the Question.
Can the Traffic only pass when Anispoffing is disable beween the DMZ and Managment Interfaces ?
Or is the Traffic blocked until the Objects (Networks) and Policys are in place?

Best regards

3 Replies

One of the greatest new features in R80.20 is the ability to calculate the topology based on routing. I believe this *should* resolve issues with Anti-Spoofing like the scenario you described above. 

If you are running R80.20, you should be able to configure the topology using Network Defined By Routes and not run into issues. Others, please correct me if my understanding of this is incorrect!


You can always use "Specific" in Antispoofing settings and define a group consisting of all the networks and objects that should communicate through the gateway.

You still have to define the rules permitting that traffic though, properly configured antispoofing settings simply allow it to be subjected to the security policy.


Hello Daniel
This Networks are direct Connected, so I think there is no need for Routing Option ?.
Best regards

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events