Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shehan_Wickrama
Collaborator

Checkpoint 1450Appliance Drops traffic as Address Spoofing

Hello guys,

I need your help again. We have a locally managed Checkpoint 1450 SMB Appliance and our traffic drops when trying to go to the internet.

I have created a policy that allows users to go to the internet as well.

In my Log files I have lots of drop traffic from allowed user range and log messaged shows as 'Address Spoofing' so my question is how can I enable address spoofing in SMB appliances of how can i get rid or this message and let the traffic go to the internet.

Im running the latest OS version of embedded gaia  and haven't installed any hot fixes at all.

Thanks in Advance,

Shehan

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

Anti-spoofing is basically a sanity check the gateway performs to ensure traffic is coming from the correct interface based on the source IP or being routed out the correct destination interface based on destination IP. 

The settings for anti-spoofing depend on whether the SMB device is centrally managed or not.

For centrally managed gateways, it's set on the gateway object on the relevant interface.

For locally managed devices, it's calculated based on the routing table.

For example, the LAN interface should just be the local subnet plus any subnets for which you have routes where the next hop is on the LAN interface.

The WAN interface is "everything but what I expect to see on other interfaces."

Assuming the traffic is dropped on the LAN interface, is the source IP on the same subnet as the LAN interface? If not, is there an explicit route for that IP or subnet configured in 1450 with a next hop of an IP address on the LAN? 

0 Kudos
Shehan_Wickrama
Collaborator

Sorry for late replies phone boy.

Yes it's in the same subnet as LAN interface.

No there is no explicit route.

Checkpoint TAC asked me to do the following but is there a way to enable anti spoofing and get things work.

To configure Monitor Mode with user-defined networks:
> add monitor-mode-network ipv4-address <IP> subnet-mask <mask> > set monitor-mode-configuration use-defined-networks true

To see user-defined Internal networks:
> show monitor-mode-network

To disable Anti-Spoofing:
> set antispoofing advanced-settings global-activation false

Regards,

Shehan

0 Kudos
G_W_Albrecht
Legend
Legend

As you have R77.20.75 installed this can not be the issue from sk100405. In many cases, the reason for this issue is asymetric routing - a packet coming thru a IF it is not expected from 😉

First suggestion is to check for wrong config of topology. If you can not find a reason, for testing, you could disable Advanced Setting "Anti-spoofing - Enable global anti-spoofing".

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

Did you find the drop reason yet ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Shehan_Wickrama
Collaborator

Hello,

No not yet.

Thanks

0 Kudos
Shehan_Wickrama
Collaborator

Hello Thank you for replying,

I disabled anti spoofing. Like in checkpoint big appliances where i can find topology settings to define anti spoofing networks?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events