Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Show AntiSpoofing Networks via CLI

esasn123.JPG

This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.

antispoofing.png

 

Last version  - command:

 

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " "

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
34 Replies

Hi Heiko,

It's a very nice command.

Perhaps this can be extended even further:
ethtool settings - speed, duplex,... 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Participant

Nice command!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Contributor

Hi Heiko,

I've been looking for this for years.

Thanks, I'll give you a badge.

THX

Silvia

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Explorer

This one-liner is very helpful. Can you also add routes for the interface? This makes it easier to see which networks are missing.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Explorer

Nice

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Thanks to Danny Jung (One-liner for Address Spoofing Troubleshooting) for the inspiration and to Timothy Hall  (CLI Anti-Spoofing Information ) for the infos.

THX

Heiko

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Explorer

Is ist possible to add more interface settings:

- ethtool speed, duplex, driver,...

- routes

...

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Participant

Nice!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Explorer

Nice commandSmiley Happy.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Participant

LOL - Nice command.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Champion
Champion

Glad to see such a great tool.  Also wanted to mention this SK detailing a situation in which performing a "Get Interfaces WITHOUT Topology" will change the antispoofing state from Disabled to Enabled (with Prevent) on firewall interfaces!  Needless to say this can result in some unexpected issues:

sk136372: Get Interfaces without topology resets anti-spoofing to Enabled/Prevent

This may necessitate disabling gateway anti-spoofing enforcement "on the fly" as detailed in my prese

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Authority
Authority

Hey buddy. Was this tested with R77.30 as well or just R80.10? On one of my old clusters that runs R77.30 it returned ton of false results as it greps too far when looking for spoofing subnets. Maybe worth adding a note if it only works or was tested on R80.10 Smiley Happy Or even better, doesn't run on R77.30

To give you an example

but with the current command following 30 lines you will get 2 extra subnets reported:

reducing grep search to 25 lines helps but I'm not too s

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Authority
Authority

Also Mgmt interface may return a lot of rubbish as it may match string "Mgmt" in the file, it's a fairly common string

Better is to add leading bracket

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Authority
Authority

Much better! I though there was another one but this one came as top search... Smiley Happy

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Authority
Authority

I had it on some but not this particular cluster  

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Advisor

Very nice one-liner! Thumbs up!

Is there a chace to move R&D to implement a simple command for this?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Explorer

Great command, certainly very useful.

As an aside, can either this command be adapted, or is there an alternative for pulling this information from a VS or VR on VSX? I am right in thinking the local.set file contains only the interface configuration for the VSX GW and not the VRs or VSs.

Thanks,

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Authority
Authority

Hi, I prefer using Danny Jung one-liner for getting spoofing info. So it will work on any VS as long as you set vsenv x environment beforehand manually

echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed 'N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Explorer

Thanks Kaspars.

I did have the vsenv set to the correct environment, but I was running Danny Jungs CCC script, and running the command through there, which must default to the VS 0.

Works a treat when ran directly. Thanks! Smiley Happy

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Authority
Authority

Awesome!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Coming soon!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Helpful, thank you!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Participant
Hello Heiko
Thank you for the command . can you also create a similar script for ipv6 objects ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Employee
Employee

This is an interesting one-liner. I think considering the length of this, it might be better to make it into a script. That way it can be aliased for people who want to use this often.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Admin
Admin
I think the reason Heiko did it this way so it would be easy to cut/paste onto any system.
That said, I see benefit to it being a script. ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Employee
Employee

It would also gain the ability to adapt to where it is being run from if it was a script (some checks for VSX or any other system that we might need to treat differently). I'll play with this next week. 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

I've modified slightly to improve internal code styling (consistent use of spaces in pipelines, for example) and to improve code correctness (I have an incredibly weird firewall which hits basically every edge case ever; this version works on it). One specific correctness change I made was wrapping the "VIP" section in a test to see if we're on a cluster in the first place. That whole line should now be silently omitted when run on a non-clustered firewall.

The other big one relates to

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Explorer


Thanks for this command. I added this into a script file and changed the following:

ifconfig -a $1

So it's also possible to only get the Output on a specified interface, for example "scriptname eth1"

--------------------------------------------------------------------------------------------------

more $FWDIR/state/local/FW1/local.set | grep -A 30 \(%

Added \( before %, because there were strange outputs on the Sync and Mgmt Interfaces

Here is the one liner again to insert int

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos

Is there a best practice/admin guide around anti-spoofing?

It has been a thorn in my side ever since taking on the firewalls a few years ago.  Invariably, it would start blocking traffic and we'd just have to turn it off.  And that doesn't thrill me any.

I'd like to get it fixed and fixed correctly in the coming year.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free
Reply
0 Kudos