Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomas_S_
Participant

Disable "Local interface address spoofing"

Jump to solution

Hello,

we have a setup, where all the traffic is mirrored to the Checkpoint 5800 (via SPAN port).

Management and mirrored traffic interfaces both have "Anti Spoofing: Disabled",

however, since CP receives mirror of all the traffic (including one from its management interface), logs are filled with

message_info:"Local interface address spoofing" messages

(the MAC address of the mirrored packet is that of the router, not CP device).

How can we disable check for "Local interface address spoofing"?

Running R80.20.

1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

fw ctl set int fw_local_interface_anti_spoofing 0

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

5 Replies
Danny
Champion
Champion

In SmartLog, just enter. not spoofing

0 Kudos
Tomas_S_
Participant

Wouldn't that only filter output in the view?

We are using cp_log_export, to export logs via syslog, and these are flooded with 

---

2018-11-07T11:49:58+02:00 local0.info 11.11.11.11 1: 2018-11-07T09:49:54Z ids-n2 CheckPoint 29740 - [action:"Drop"; alert:"alert"; flags:"401408"; ifdir:"inbound"; ifname:"eth1-01"; loguid:"{0x0,0x0,0x0,0x0}"; origin:"11.11.11.11"; originsicname:"cn=cp_mgmt,o=ids-n2.xx.xx.fpp84p"; sequencenum:"530"; time:"1541584194"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={637D2E66-C60F-4646-BD66-FDB8148F5F42};mgmt=ids-n2;date=1541582377;policy_name=Standard\]"; dst:"23.60.24.21"; message_info:"Local interface address spoofing"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38149"; service:"80"; src:"11.11.11.11"; ] 

...

---

messages

0 Kudos
Timothy_Hall
Champion
Champion

fw ctl set int fw_local_interface_anti_spoofing 0

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

Tomas_S_
Participant

Operation succeded, but messages "Local interface address spoofing" still pour to the fw.log.

# fw ctl set int fw_local_interface_anti_spoofing 0
Set operation succeeded

# fw ctl get int fw_local_interface_anti_spoofing
fw_local_interface_anti_spoofing = 0

# sim feature anti_spoofing off; fwaccel off; fwaccel on

Command 'sim feature' has been replaced. Use 'fwaccel feature' instead.

SecureXL device disabled.

# fwaccel feature anti_spoofing off
Invalid feature 'anti_spoofing'
Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

I've also set:

# fw ctl set int fw_antispoofing_enabled = 0

0 Kudos
Tomas_S_
Participant

After checkpoint reboot the issue is solved: there is no longer spoofing messages in the logs.

Thank You