Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Show AntiSpoofing Networks via CLI

HeikoAnkenbrand
Champion
Champion

esasn123.JPG

This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.

Last version from 09-01-2021- command:

 


   ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " 
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




37 Replies

Petra_Angelmahr
Explorer

Hi Heiko,

It's a very nice command.

Perhaps this can be extended even further:
ethtool settings - speed, duplex,... 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Ulf_Wegner
Participant

Nice command!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Silvia_Day
Contributor

Hi Heiko,

I've been looking for this for years.

Thanks, I'll give you a badge.

THX

Silvia

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Kan_Torres
Explorer

This one-liner is very helpful. Can you also add routes for the interface? This makes it easier to see which networks are missing.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Til_Hall
Explorer

Nice

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion
Champion

Thanks to Danny Jung (One-liner for Address Spoofing Troubleshooting) for the inspiration and to Timothy Hall  (CLI Anti-Spoofing Information ) for the infos.

THX

Heiko

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Nuno_Thome
Explorer

Is ist possible to add more interface settings:

- ethtool speed, duplex, driver,...

- routes

...

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Regi_Suhm
Participant

Nice!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Udo_Struess
Explorer

Nice commandSmiley Happy.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Ukko_Metsola
Participant

LOL - Nice command.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Timothy_Hall
Champion
Champion

Glad to see such a great tool.  Also wanted to mention this SK detailing a situation in which performing a "Get Interfaces WITHOUT Topology" will change the antispoofing state from Disabled to Enabled (with Prevent) on firewall interfaces!  Needless to say this can result in some unexpected issues:

sk136372: Get Interfaces without topology resets anti-spoofing to Enabled/Prevent

This may necessitate disabling gateway anti-spoofing enforcement "on the fly" as detailed in my prese

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Kaspars_Zibarts
Authority
Authority

Hey buddy. Was this tested with R77.30 as well or just R80.10? On one of my old clusters that runs R77.30 it returned ton of false results as it greps too far when looking for spoofing subnets. Maybe worth adding a note if it only works or was tested on R80.10 Smiley Happy Or even better, doesn't run on R77.30

To give you an example

but with the current command following 30 lines you will get 2 extra subnets reported:

reducing grep search to 25 lines helps but I'm not too s

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Kaspars_Zibarts
Authority
Authority

Also Mgmt interface may return a lot of rubbish as it may match string "Mgmt" in the file, it's a fairly common string

Better is to add leading bracket

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Kaspars_Zibarts
Authority
Authority

Much better! I though there was another one but this one came as top search... Smiley Happy

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Kaspars_Zibarts
Authority
Authority

I had it on some but not this particular cluster  

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Sven_Glock
Advisor

Very nice one-liner! Thumbs up!

Is there a chace to move R&D to implement a simple command for this?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Austin_Packer2
Explorer

Great command, certainly very useful.

As an aside, can either this command be adapted, or is there an alternative for pulling this information from a VS or VR on VSX? I am right in thinking the local.set file contains only the interface configuration for the VSX GW and not the VRs or VSs.

Thanks,

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Kaspars_Zibarts
Authority
Authority

Hi, I prefer using Danny Jung one-liner for getting spoofing info. So it will work on any VS as long as you set vsenv x environment beforehand manually

echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed 'N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Austin_Packer2
Explorer

Thanks Kaspars.

I did have the vsenv set to the correct environment, but I was running Danny Jungs CCC script, and running the command through there, which must default to the VS 0.

Works a treat when ran directly. Thanks! Smiley Happy

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Kaspars_Zibarts
Authority
Authority

Awesome!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion
Champion

Coming soon!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion
Champion

Helpful, thank you!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Deepak_Chauhan1
Participant
Hello Heiko
Thank you for the command . can you also create a similar script for ipv6 objects ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Frank_Allen
Employee Alumnus
Employee Alumnus

This is an interesting one-liner. I think considering the length of this, it might be better to make it into a script. That way it can be aliased for people who want to use this often.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

PhoneBoy
Admin
Admin
I think the reason Heiko did it this way so it would be easy to cut/paste onto any system.
That said, I see benefit to it being a script. ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Frank_Allen
Employee Alumnus
Employee Alumnus

It would also gain the ability to adapt to where it is being run from if it was a script (some checks for VSX or any other system that we might need to treat differently). I'll play with this next week. 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Bob_Zimmerman
Advisor

I've modified slightly to improve internal code styling (consistent use of spaces in pipelines, for example) and to improve code correctness (I have an incredibly weird firewall which hits basically every edge case ever; this version works on it). One specific correctness change I made was wrapping the "VIP" section in a test to see if we're on a cluster in the first place. That whole line should now be silently omitted when run on a non-clustered firewall.

The other big one relates to

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Florian_Ruch
Explorer


Thanks for this command. I added this into a script file and changed the following:

ifconfig -a $1

So it's also possible to only get the Output on a specified interface, for example "scriptname eth1"

--------------------------------------------------------------------------------------------------

more $FWDIR/state/local/FW1/local.set | grep -A 30 \(%

Added \( before %, because there were strange outputs on the Sync and Mgmt Interfaces

Here is the one liner again to insert int

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Tommy_Forrest
Advisor

Is there a best practice/admin guide around anti-spoofing?

It has been a thorn in my side ever since taking on the firewalls a few years ago.  Invariably, it would start blocking traffic and we'd just have to turn it off.  And that doesn't thrill me any.

I'd like to get it fixed and fixed correctly in the coming year.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos