I'm still relatively new to the management of our firewalls so please excuse the basic question, plus the original staff who set it up do not work for us anymore.
Prior to the lockdown, our firewalls were setup with an internal and external bond, with a couple of DMZ's trunked in the internal bond. Our internal network uses an 10x address space, DMZ's 192.168.x etc. There is a static route on the firewall for all 10 addresses to go to our core internal router. The internal interface was setup with a 'Defined By Routes' topology.
For lockdown we needed a VPN solution (our Cisco ASA's were only licences for 750 users) and checkpoint was seen as the quickest way to implement a solution for 3000 users.
The office mode IP range setup with an available subnet in our 10x address space.
For the VPN clients to work (and also a couple of site-to-sites that also use a 10.x address), I needed to bypass Anti-Spoofing on the external interface using an exclude group with a list of vpn subnets.
In a lab, I have found that the anti-spoofing only detects a spoofed address if there (in our case) is a static route that covers the incoming IP address. For example, I setup a site-to-site to a 172.16.0.0 network on the firewall and there was no need to put an Anti-Spoof bypass with the remote side using a 10 address. I then put a static route on the firewall for that same 172.16 subnet and then my site-to-site was blocked by Anti-Spoofing.
My question is, have we got the interface for our 10.x/8 defined correctly and using the Anti-Spoof disable option correctly for the VPN clients?