This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mageshkumarg
Participant
‎2024-02-26 04:24 AM
Jump to solution

Anti-Spoofing detection

We've systems in the subnet A.A.A.A which is not directly connected with the firewall. While generating traffic from those systems (A.A.A.A) to servers behind the firewall (B.B.B.B), firewall blocks the traffic with the reason "anti spoofing". After disabling anti-spoofing feature, it's allowed.

Hope, Anti-Spoofing detects if a packet with an IP address that is behind a certain interface, arrives from a different interface. In our topology, network A.A.A.A not behind any firewall interface, so why we're getting anti-spoofing detect. Attached our topology.

Labels
Topology.PNG
Preview file
6 KB
0 Kudos
1 Solution

Accepted Solutions
mageshkumarg
Participant
‎2024-03-26 03:48 AM
In response to Chris_Atkinson
Jump to solution

Hi,

TAC unable to find root cause of the issue. They recommended to upgrade the firewall version. After upgraded firewall to latest version, issue got resolved.

Thanks all.

View solution in original post

11 Replies
AmirArama
Employee
Employee
‎2024-02-26 07:48 AM
Jump to solution

Anti spoofing verify that each packet arrived with src IP is really configured to be behind the ingress interface.

so if A.A.A.A arriving to the FW from the left interface in diagram, you need to enter this interface in smartconsole (assuming you are centrally managed) , and configure inside the networks behind this interface (the point to point + any subnets behind it).

any other subnets that not explicitly configured would expect to arrive only via the external interfaces.

 

mageshkumarg
Participant
‎2024-02-26 09:58 PM
In response to AmirArama
Jump to solution

Hi Amir,

So you mean, all the subnets which is not directly connected with firewall like A.A.A.A will be detected as Spoof?

Also, our quantum spark 1600 security appliances is locally managed, how to permit the external subnets like A.A.A.A in locally managed firewall?

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-02-27 12:13 AM
In response to mageshkumarg
Jump to solution

I think it uses the routing table also as information for AS. So if you add the networks there the will be allowed.

I cannot find it in documentation so I dont have an example. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
mageshkumarg
Participant
‎2024-02-27 01:32 AM
In response to Lesley
Jump to solution

Hi Lesley,

For return traffic, I already have static route to A.A.A.A subnet with the next hop as X.X.X.1. But still the traffic detected as Spoof.

0 Kudos
Lloyd_Braun
Collaborator
‎2024-02-27 12:18 PM
In response to mageshkumarg
Jump to solution

You mention "network A.A.A.A not behind any firewall interface," -- for the purposes of anti-spoofing, A.A.A.A is behind your X.X.X.2 interface.  

 

The anti-spoofing configuration is typically going to be consistent with your routing table as far as what network topology is defined "behind" which interfaces. 

0 Kudos
mageshkumarg
Participant
‎2024-03-18 02:35 AM
In response to Lloyd_Braun
Jump to solution

I think, anti-spoofing is evaluating the traffic based on interface type. By default external interface will allow all the external traffic except internal interface subnet and internal interface permit only directly connected network.

We are locally managing the firewall, Hence we unable to select interface type. It's undefined. So how, Anti spoof evaluate traffic from undefined interface? May be it's considering undefined interface as Internal?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-18 10:07 AM
In response to mageshkumarg
Jump to solution

You need to ensure routes are defined for all subnets that are connected to the LAN and/or DMZ interface (directly or via another hop).

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-03-18 04:51 AM
Jump to solution

Could you please provide the firmware version and routing table details as relevant to your example?

CCSM R77/R80/ELITE
0 Kudos
mageshkumarg
Participant
‎2024-03-21 11:39 PM
In response to Chris_Atkinson
Jump to solution

Hi Chris,

Details given below. 

Firmware version :- R81.10.07

FW-1> show route
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
NP - NAT Pool, U - Unreachable, i - Inactive

C B.B.B.96/28 is directly connected, LANBOND0.108
LANBOND0.108
C X.X.X.0/29 is directly connected, LANBOND1
LANBOND1
S A.A.A.0/24 via X.X.X.1, LANBOND1, cost 0, age 3953839
S Y.Y.Y.8/32 via B.B.B.110, LANBOND0.108, cost 0, age 3953839
C 127.0.0.0/8 is directly connected, lo
lo
FW-1>

Source :- A.A.A.19
Destination :- B.B.B.100,

Source :- A.A.A.19
Destination :- Y.Y.Y.8

Both traffic flow detected by AS and dropped.Topology (2).PNG

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-03-22 04:59 AM
In response to mageshkumarg
Jump to solution

Are all the concerned addresses from RFC1918 space?

When practical I would also recommend upgrading to R81.10.08 or higher.

I feel like we're otherwise missing something here and perhaps it's something that would be more easily navigated via a remote session with TAC.

CCSM R77/R80/ELITE
mageshkumarg
Participant
‎2024-03-26 03:48 AM
In response to Chris_Atkinson
Jump to solution

Hi,

TAC unable to find root cause of the issue. They recommended to upgrade the firewall version. After upgraded firewall to latest version, issue got resolved.

Thanks all.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top