Re: Show AntiSpoofing Networks via CLI - Page 2

HeikoAnkenbrand · **Last version from 09-01-2021- command:**

This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.

Last version from 09-01-2021- command:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -n| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -n| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -n| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -n| uniq |tr \(\)\<\>\:\" \ ;echo " "'

Now you can see the states of:

- ANTISPOOFING ENABLED
- ANTISPOOFING MODE
- ANTISPOOFING TOPO

Bob_Zimmerman · ‎2019-12-19

R80.20 and above support automatically setting up antispoofing topology based on the routing topology on the firewall. Other vendors call this Unicast Reverse Path Forwarding, or URPF. That is, without question, the right way to do antispoofing in any new growth.

It can still cause problems if your network depends on asymmetric pathing. For example, if traffic from a given network arrives at the firewall on one interface, but traffic to it leaves from another interface, URPF will only allow it to come in the interface which it would leave. This isn't necessarily asymmetric routing, as the traffic could be going through the same routers and just taking different L2 paths.

URPF ultimately reduces all antispoofing problems to routing problems, which are much better understood. If you still get antispoofing drops after enabling it, it means you need to fix your routing.

Steve_Vandegaer · ‎2020-05-05

Could we add zones to the output?

Vitali_Ronkin · ‎2020-07-14

Hi Heiko,

thanks for sharing with us the script. it is very helpful.

when I am using the script on R80.30 kernel 3.10

iam getting this errors

ANTISPOOFING ENABLED: sort: options '-gn' are incompatible
ANTISPOOFING MODE: sort: options '-gn' are incompatible
DETECT
ANTISPOOFING TOPO: sort: options '-gn' are incompatible
Internal
ADDRESS SPOOFING NETWORKS:
sort: options '-gn' are incompatible

how can we fit the script for R80.30 version ?

Thx in advance.

Vitali

PhoneBoy · ‎2020-07-14

Our versions using the 3.10 kernel have different userspace binaries, some of which might have different options (thus why this script is failing).

Florian_Ruch · ‎2020-07-29

Hello Vitali,

This error messages occures, because the sort options are not anymore correct. Use "sort -g" instead of "sort -ng"

Regards Florian

Arne_Boettger · ‎2021-08-31

Hello Heiko,

we used this command yesterday and found bond-interfaces with misleading information. I tried my best to modify your oneliner to remove matches for bondX.YZ when searching for bondX. Please find my changed oneliner below and check if it matches your expectations:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep "% "|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn
"2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 %$ | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 %$ | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq| grep -o false`
]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 %$ | grep external | cut -c12- | tr \) " " |sort -ng| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep
 -A 30 %$|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

best regards, Arne

HeikoAnkenbrand · ‎2021-08-31

Hi @Arne_Boettger,

I just noticed that both oneliners do not work under R81.10.

I have changed the grep sort settings from "sort -ng" to "sort -n".

What exactly did you change? Could you please mark this in red.

Thanks
Heiko

Arne_Boettger · ‎2021-09-01

Hello,

I know that running diff on a oneliner is not an easy task. To put it in words, I changed one grep filtering cphaprob -a if to grep "% " - this makes it match only interface names followed by space. And then I changed two instances of grep -A 30 % to grep -A 30 %$ - this also makes the grep only match full interface names ending in a newline.

I hope that helps you verifying and taking over my improvements.

Axel_Pabich · ‎2021-11-25

Cool command Heiko!

We build a Maestro Cluster (R80.30SP) with BGP activated between Checkpoint and Cisco switches.
The interfaces are configured to learn topology from routes and do Anti-Spoofing based on IF topology.
Routes will be exchanged correctly to and from Checkpoint VS.

When we had a configuration problem and one network was learned on two interfaces, we learned, that topology from routes are working fine because we got spoofing messages from one direction until we removed the advertisement for the second one.

Unfortunately in this configuration your command shows the AS configuration and the interface network but not the learned networks:

bond1.vvv
VIP a.b.c.148 VMAC address: 00:AA:BB:CC:DD:F6
IP a.b.c.148
Mask 255.255.255.248
ANTISPOOFING ENABLED: fo (true
ANTISPOOFING MODE: PREVENT
ANTISPOOFING TOPO: Internal
ADDRESS SPOOFING NETWORKS:
a.b.c.144, a.b.c.151

Do you see any chance to include the dynamic learned networks / anti-spoofing settings to be read out and added to this command?

Filters

Sort By

Categories

Show AntiSpoofing Networks via CLI

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.