Thanks for replying. I'm not sure how much detail you need but here goes 🙂

The gateways are managed via Smart-1 on a VM as a cluster.

First interface is set as a cluster and external, topology defined by IP and netmask (a /29 subnet from the overall /20 routed to the site)

Second interface is set as a cluster and internal, topology defined by a specific network object (the whole /20 for the site) using a /29 from the overall /20

Third interface is set as 1st Sync and internal, topology of each defined as internal -> defined by IP and netmask (Again another /29 from the overall /20)

I don't have anti-spoofing enabled on the external interface because I don't want to lose remote access to the gateway - it's not something I can test easily without organising remote hands to console on (no remote console here!)

Is that enough info?

Apologies, I missed a bit. The external interface is set as external (leads to the internet) and the topology bit is greyed out

Thanks for the link and screenshot.

I think it may be that the 1800 devices (SMB) we are using are not fully functional, because I don't appear to have some of these options (such as defining the topology by routes and setting the anti-spoofing to prevent) on the cluster objects - although I can see some of them on the sync interfaces which aren't clustered.

If I could set the anti-spoofing to detect instead of prevent then I could just test my settings without breaking anything 🙂

Just to make sure Im not misunderstanding anything...are you saying IF you enable anti spoofing on external interface, remote access vpn breaks?

Andy

When we set up our first site we kicked ourselves off the device when we enabled anti-spoofing by mistake. I can't recall if we set the topology up as I outlined though. As it took us a couple of months to re-establish SIC and remote access I'm a bit reluctant to experiment on any of the sites we've deployed so far as it would raise merry hell if we lost control of the firewalls (we don't always have remote hands to bail us out).

I want to enable it, but I'm concerned it will kick me off. Ideally I would like to set it to detect first, but I'm thinking these SMB devices don't support that on a clustered interface for some reason.

Apologies mate, not an smb expert at all, but just wondering, can you see if below option is there? If yes, it might be an option...

Andy

Yes, we have that set currently on the external interface.

My concern is that since the external interface /29 is part of the /20 that is routed to the internal router it might consider anything from that subnet to be invalid, since it expects to see the whole /20 on the internal interface only.

I'm wondering if the CP code is smart enough to understand and exclude the interface subnet from it's anti-spoofing calculations.

Edit: I think I've been an idiot. When the original anti-spoofing failed, I just remembered that we were using Smart-1 cloud which used a Maas tunnel which was what broke when we turned anti-spoofing on by accident.

I'm not sure what I've outlined as our current settings will even be a problem, I guess I'm just twitchy because of all the hassle that original mistake resulted in.

Its totally valid concern. I would verify with TAC to be sure.

Andy