Solved: Re: Disable AntiSpoofing in SMB Cluster

Smorales · ‎2025-09-01

Hello, everyone.

I am going to implement a cluster using Quantum Sparks (model 1600).

I have a question about anti-spoofing, because when I create the cluster, it works fine in my lab environment, but when I have to implement it in the customer's environment, I have to disable it because my customer uses a dynamic routing protocol.

Normally, I disable antispoofing in the Topology tab of the firewall object within SmartConsole, but when I create the cluster object, I cannot select that tab, and when I select the interface on each member of the cluster, I don't see where I can disable antispoofing.

I see that I can disable the antispoofing feature using the next command:

set antispoofing advanced-settings global-activation false

Based on the next documentation: https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/165373.htm?tocpath=Configuri...

Does anyone know if this command is sufficient to disable anti-spoofing in the cluster?
Is there anything else I need to consider?
Can it be saved in a kernel file so that it survives reboots, or does it survive?

Does anyone have any experience with this situation?

Best regards!

TJ_Aus · ‎2025-09-01

Try this

[Expert@]# fw ctl get int fw_antispoofing_enabled
fw_antispoofing_enabled = 1
[Expert@]#

to disable:
fw ctl set int fw_antispoofing_enabled 0

to enable:
fw ctl set int fw_antispoofing_enabled 1

View solution in original post

sigal · ‎2025-09-01

Hi,
In the Topology/Network Management page in SmartConsole, try changing "Automatically calculated by the gateway" to "Manually defined on the Security Management server".

Thanks.

View solution in original post

the_rock · ‎2025-09-01

That command works the same regardless if its cluster or not, since its global.

HTH

Andy

Best,
Andy

View solution in original post

G_W_Albrecht · ‎2025-09-02

Attention - the new fw ctl set value will not survive a reboot! If you want it to survive a reboot, use:

[expert] fw ctl set -f int fw_antispoofing_enabled 0
"fwkern.conf" was updated successfully

Also found in relevant SK https://support.checkpoint.com/results/sk/sk117618 is:

Note: To turn off anti-spoofing checks, SecureXL also needs to be turned off (fwaccel off). Restarting SecureXL (fwaccel on) will re-enforce anti-spoofing checks.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

TJ_Aus · ‎2025-09-01

Try this

[Expert@]# fw ctl get int fw_antispoofing_enabled
fw_antispoofing_enabled = 1
[Expert@]#

to disable:
fw ctl set int fw_antispoofing_enabled 0

to enable:
fw ctl set int fw_antispoofing_enabled 1

G_W_Albrecht · ‎2025-09-02

Attention - the new fw ctl set value will not survive a reboot! If you want it to survive a reboot, use:

[expert] fw ctl set -f int fw_antispoofing_enabled 0
"fwkern.conf" was updated successfully

Also found in relevant SK https://support.checkpoint.com/results/sk/sk117618 is:

Note: To turn off anti-spoofing checks, SecureXL also needs to be turned off (fwaccel off). Restarting SecureXL (fwaccel on) will re-enforce anti-spoofing checks.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

sigal · ‎2025-09-01

Hi,
In the Topology/Network Management page in SmartConsole, try changing "Automatically calculated by the gateway" to "Manually defined on the Security Management server".

Thanks.

the_rock · ‎2025-09-01

That command works the same regardless if its cluster or not, since its global.

HTH

Andy

Best,
Andy

Are you a member of CheckMates?

Disable AntiSpoofing in SMB Cluster