This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RichUK
Contributor
‎2022-02-02 02:06 AM

Defining a 10.0.0.0/8 Internal Network

Hi all,

I'm still relatively new to the management of our firewalls so please excuse the basic question, plus the original staff who set it up do not work for us anymore.

Prior to the lockdown, our firewalls were setup with an internal and external bond, with a couple of DMZ's trunked in the internal bond. Our internal network uses an 10x address space, DMZ's 192.168.x etc. There is a static route on the firewall for all 10 addresses to go to our core internal router. The internal interface was setup with a  'Defined By Routes' topology.

internal_nic.jpg

For lockdown we needed a VPN solution (our Cisco ASA's were only licences for 750 users) and checkpoint was seen as the quickest way to implement a solution for 3000 users.

The office mode IP range setup with an available subnet in our 10x address space. 

Internal.jpg

For the VPN clients to work (and also a couple of site-to-sites that also use a 10.x address), I needed to bypass Anti-Spoofing on the external interface using an exclude group with a list of vpn subnets.

In a lab, I have found that the anti-spoofing only detects a spoofed address if there (in our case) is a static route that covers the incoming IP address. For example, I setup a site-to-site to a 172.16.0.0 network on the firewall and there was no need to put an Anti-Spoof bypass with the remote side using a 10 address. I then put a static route on the firewall for that same 172.16 subnet and then my site-to-site was blocked by Anti-Spoofing.

My question is, have we got the interface for our 10.x/8 defined correctly and using the Anti-Spoof disable option correctly for the VPN clients?

Many thanks.

Rich

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-02-02 02:12 AM

How did you exclude the office mode range from anti-spoofing since that is the basis for your question ...

CCSM R77/R80/ELITE
0 Kudos
RichUK
Contributor
‎2022-02-02 02:17 AM
In response to Chris_Atkinson

Hi @Chris_Atkinson 

We setup an exclude group and only added the VPN subnets in the exclude site, this was then set in the Anti-Spoofing option for our external interface.

antisp.jpg

0 Kudos
RichUK
Contributor
‎2022-02-02 02:18 AM
In response to RichUK

Sorry, it isn't an exclude group, just a standard group.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-02-02 04:39 AM
In response to RichUK

Ok thanks, just wanted to check that there wasn't any confusion with the following option.

officemode-as.png

CCSM R77/R80/ELITE
0 Kudos
RichUK
Contributor
‎2022-02-02 06:13 AM
In response to Chris_Atkinson

hi @Chris_Atkinson 

I have checked the gateway > VPN Clients > Office Mode and Anti-Spoofing is also enabled. Looking at the help it says that if the addresses are allocated from DHCP to add the range here. Therefore, is it best to select the VPN Office Mode IP range in this option and remove the Office Mode range from the external interface? I take it I would still need the networks for the site-to-site's in the external interface Anti-Spoof exclude group.

anti_vpn.jpg

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events