- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: Simple anti-spoofing question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simple anti-spoofing question
SMB 1800 devices, running r81.10.10
I apologise for the simplistic nature of the question, but most of the data I have found so far relates to older version/non-SMB devices and I know these things have their little 'quirks'.
We have a standard FW design where each site has a /20 subnet assigned to it. There is a small /29 transit subnet between the CPE and the gateways that is taken from the sites' overall /20.
If I configure the topology of the internal interface to include the whole /20 and apply anti-spoofing, will the gateway understand that the external interface /29 should be excluded from any blocks, or will I have to create a network object that excludes the /29 specifically and use that for the internal topology?
Many thanks.
- Labels:
-
Appliance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this managed through a Smart-1?
What is the topology and configuration of the relevant interfaces?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for replying. I'm not sure how much detail you need but here goes 🙂
The gateways are managed via Smart-1 on a VM as a cluster.
First interface is set as a cluster and external, topology defined by IP and netmask (a /29 subnet from the overall /20 routed to the site)
Second interface is set as a cluster and internal, topology defined by a specific network object (the whole /20 for the site) using a /29 from the overall /20
Third interface is set as 1st Sync and internal, topology of each defined as internal -> defined by IP and netmask (Again another /29 from the overall /20)
I don't have anti-spoofing enabled on the external interface because I don't want to lose remote access to the gateway - it's not something I can test easily without organising remote hands to console on (no remote console here!)
Is that enough info?
Apologies, I missed a bit. The external interface is set as external (leads to the internet) and the topology bit is greyed out
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is setting I ALWAYS found to work the best if you are not sure what to configure there.
Andy
Interface - Topology Settings (checkpoint.com)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the link and screenshot.
I think it may be that the 1800 devices (SMB) we are using are not fully functional, because I don't appear to have some of these options (such as defining the topology by routes and setting the anti-spoofing to prevent) on the cluster objects - although I can see some of them on the sync interfaces which aren't clustered.
If I could set the anti-spoofing to detect instead of prevent then I could just test my settings without breaking anything 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to make sure Im not misunderstanding anything...are you saying IF you enable anti spoofing on external interface, remote access vpn breaks?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we set up our first site we kicked ourselves off the device when we enabled anti-spoofing by mistake. I can't recall if we set the topology up as I outlined though. As it took us a couple of months to re-establish SIC and remote access I'm a bit reluctant to experiment on any of the sites we've deployed so far as it would raise merry hell if we lost control of the firewalls (we don't always have remote hands to bail us out).
I want to enable it, but I'm concerned it will kick me off. Ideally I would like to set it to detect first, but I'm thinking these SMB devices don't support that on a clustered interface for some reason.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apologies mate, not an smb expert at all, but just wondering, can you see if below option is there? If yes, it might be an option...
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, we have that set currently on the external interface.
My concern is that since the external interface /29 is part of the /20 that is routed to the internal router it might consider anything from that subnet to be invalid, since it expects to see the whole /20 on the internal interface only.
I'm wondering if the CP code is smart enough to understand and exclude the interface subnet from it's anti-spoofing calculations.
Edit: I think I've been an idiot. When the original anti-spoofing failed, I just remembered that we were using Smart-1 cloud which used a Maas tunnel which was what broke when we turned anti-spoofing on by accident.
I'm not sure what I've outlined as our current settings will even be a problem, I guess I'm just twitchy because of all the hassle that original mistake resulted in.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its totally valid concern. I would verify with TAC to be sure.
Andy
