Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G-
Explorer

Simple anti-spoofing question

SMB 1800 devices, running r81.10.10

I apologise for the simplistic nature of the question, but most of the data I have found so far relates to older version/non-SMB devices and I know these things have their little 'quirks'.

We have a standard FW design where each site has a /20 subnet assigned to it. There is a small /29 transit subnet between the CPE and the gateways that is taken from the sites' overall /20.

If I configure the topology of the internal interface to include the whole /20 and apply anti-spoofing, will the gateway understand that the external interface /29 should be excluded from any blocks, or will I have to create a network object that excludes the /29 specifically and use that for the internal topology?

Many thanks.

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

Is this managed through a Smart-1?
What is the topology and configuration of the relevant interfaces?

0 Kudos
G-
Explorer

Thanks for replying. I'm not sure how much detail you need but here goes 🙂

The gateways are managed via Smart-1 on a VM as a cluster.

First interface is set as a cluster and external, topology defined by IP and netmask (a /29 subnet from the overall /20 routed to the site)

Second interface is set as a cluster and internal, topology defined by a specific network object (the whole /20 for the site) using a /29 from the overall /20

Third interface is set as 1st Sync and internal, topology of each defined as internal -> defined by IP and netmask (Again another /29 from the overall /20)

I don't have anti-spoofing enabled on the external interface because I don't want to lose remote access to the gateway - it's not something I can test easily without organising remote hands to console on (no remote console here!)

Is that enough info?

 

Apologies, I missed a bit. The external interface is set as external (leads to the internet) and the topology bit is greyed out

0 Kudos
the_rock
Legend
Legend

Here is setting I ALWAYS found to work the best if you are not sure what to configure there.

Andy

Interface - Topology Settings (checkpoint.com)

 

Screenshot_1.png

 

0 Kudos
G-
Explorer

Thanks for the link and screenshot.

I think it may be that the 1800 devices (SMB) we are using are not fully functional, because I don't appear to have some of these options (such as defining the topology by routes and setting the anti-spoofing to prevent) on the cluster objects - although I can see some of them on the sync interfaces which aren't clustered.

 

If I could set the anti-spoofing to detect instead of prevent then I could just test my settings without breaking anything 🙂

0 Kudos
the_rock
Legend
Legend

Just to make sure Im not misunderstanding anything...are you saying IF you enable anti spoofing on external interface, remote access vpn breaks?

Andy

0 Kudos
G-
Explorer

When we set up our first site we kicked ourselves off the device when we enabled anti-spoofing by mistake. I can't recall if we set the topology up as I outlined though. As it took us a couple of months to re-establish SIC and remote access I'm a bit reluctant to experiment on any of the sites we've deployed so far as it would raise merry hell if we lost control of the firewalls (we don't always have remote hands to bail us out).

 

I want to enable it, but I'm concerned it will kick me off. Ideally I would like to set it to detect first, but I'm thinking these SMB devices don't support that on a clustered interface for some reason.

0 Kudos
the_rock
Legend
Legend

Apologies mate, not an smb expert at all, but just wondering, can you see if below option is there? If yes, it might be an option...

Andy

 

Screenshot_1.png

0 Kudos
G-
Explorer

Yes, we have that set currently on the external interface.

My concern is that since the external interface /29 is part of the /20 that is routed to the internal router it might consider anything from that subnet to be invalid, since it expects to see the whole /20 on the internal interface only.

I'm wondering if the CP code is smart enough to understand and exclude the interface subnet from it's anti-spoofing calculations.

 

Edit: I think I've been an idiot. When the original anti-spoofing failed, I just remembered that we were using Smart-1 cloud which used a Maas tunnel which was what broke when we turned anti-spoofing on by accident.

I'm not sure what I've outlined as our current settings will even be a problem, I guess I'm just twitchy because of all the hassle that original mistake resulted in.

0 Kudos
the_rock
Legend
Legend

Its totally valid concern. I would verify with TAC to be sure.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events