- CheckMates
- :
- CheckMates Toolbox
- :
- Scripts
- :
- Re: Show Address Spoofing Networks via CLI
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Show AntiSpoofing Networks via CLI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.
Last version from 09-01-2021- command:
ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -n| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -n| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -n| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -n| uniq |tr \(\)\<\>\:\" \ ;echo " "'
Now you can see the states of:
- ANTISPOOFING ENABLED
- ANTISPOOFING MODE
- ANTISPOOFING TOPO
This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.
Last version from 09-01-2021- command:
ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d "
...;
Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R80.20 and above support automatically setting up antispoofing topology based on the routing topology on the firewall. Other vendors call this Unicast Reverse Path Forwarding, or URPF. That is, without question, the right way to do antispoofing in any new growth.
It can still cause problems if your network depends on asymmetric pathing. For example, if traffic from a given network arrives at the firewall on one interface, but traffic to it leaves from another interface, URPF will only allow it to come in the interface which it would leave. This isn't necessarily asymmetric routing, as the traffic could be going through the same routers and just taking different L2 paths.
URPF ultimately reduces all antispoofing problems to routing problems, which are much better understood. If you still get antispoofing drops after enabling it, it means you need to fix your routing.
R80.20 and above support automatically setting up antispoofing topology based on the routing topology on the firewall. Other vendors call this Unicast Reverse Path Forwarding, or URPF. That is, without question, the right way to do antispoofing in any new growth.
It can still cause problems if your network depends on asymmetric pathing. For example, if traffic from a given network arrives at the firewall on one interface, but traffic to it leaves from another interface, URPF will only a
...;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Heiko,
thanks for sharing with us the script. it is very helpful.
when I am using the script on R80.30 kernel 3.10
iam getting this errors
ANTISPOOFING ENABLED: sort: options '-gn' are incompatible
ANTISPOOFING MODE: sort: options '-gn' are incompatible
DETECT
ANTISPOOFING TOPO: sort: options '-gn' are incompatible
Internal
ADDRESS SPOOFING NETWORKS:
sort: options '-gn' are incompatible
how can we fit the script for R80.30 version ?
Thx in advance.
Vitali
Hi Heiko,
thanks for sharing with us the script. it is very helpful.
when I am using the script on R80.30 kernel 3.10
iam getting this errors
ANTISPOOFING ENABLED: sort: options '-gn' are incompatible
ANTISPOOFING MODE: sort: options '-gn' are incompatible
DETECT
ANTISPOOFING TOPO: sort: options '-gn' are incompatible
Internal
ADDRESS SPOOFING NETWORKS:
sort: options '-gn' are incompatible
how can we fit the script for R80.30 version ?
Thx in advance.
...;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our versions using the 3.10 kernel have different userspace binaries, some of which might have different options (thus why this script is failing).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Vitali,
This error messages occures, because the sort options are not anymore correct. Use "sort -g" instead of "sort -ng"
Regards Florian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Heiko,
we used this command yesterday and found bond-interfaces with misleading information. I tried my best to modify your oneliner to remove matches for bondX.YZ when searching for bondX. Please find my changed oneliner below and check if it matches your expectations:
ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep "% "|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn
"2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 %$ | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 %$ | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq| grep -o false`
]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 %$ | grep external | cut -c12- | tr \) " " |sort -ng| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep
-A 30 %$|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'
best regards, Arne
Hello Heiko,
we used this command yesterday and found bond-interfaces with misleading information. I tried my best to modify your oneliner to remove matches for bondX.YZ when searching for bondX. Please find my changed oneliner below and check if it matches your expectations:
ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep "% "|grep -v U|grep -v D | cut -c16-| tr -d
...;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Arne_Boettger,
I just noticed that both oneliners do not work under R81.10.
I have changed the grep sort settings from "sort -ng" to "sort -n".
What exactly did you change? Could you please mark this in red.
Thanks
Heiko
Hi
@Arne_Boettger,
I just noticed that both oneliners do not work under R81.10.
I have changed the grep sort settings from "sort -ng" to "sort -n".
What exactly did you change? Could you please mark this in red.
Thanks
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I know that running diff on a oneliner is not an easy task. To put it in words, I changed one grep filtering cphaprob -a if to grep "% " - this makes it match only interface names followed by space. And then I changed two instances of grep -A 30 % to grep -A 30 %$ - this also makes the grep only match full interface names ending in a newline.
I hope that helps you verifying and taking over my improvements.
Hello,
I know that running diff on a oneliner is not an easy task. To put it in words, I changed one grep filtering cphaprob -a if to grep "% " - this makes it match only interface names followed by space. And then I changed two instances of grep -A 30 % to grep -A 30 %$ - this also makes the grep only match full interface names ending in a newline.
I hope that helps you verifying and taking over my improvements.
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool command Heiko!
We build a Maestro Cluster (R80.30SP) with BGP activated between Checkpoint and Cisco switches.
The interfaces are configured to learn topology from routes and do Anti-Spoofing based on IF topology.
Routes will be exchanged correctly to and from Checkpoint VS.
When we had a configuration problem and one network was learned on two interfaces, we learned, that topology from routes are working fine because we got spoofing messages from one direction until we removed the advertisement for the second one.
Unfortunately in this configuration your command shows the AS configuration and the interface network but not the learned networks:
bond1.vvv
VIP a.b.c.148 VMAC address: 00:AA:BB:CC:DD:F6
IP a.b.c.148
Mask 255.255.255.248
ANTISPOOFING ENABLED: fo (true
ANTISPOOFING MODE: PREVENT
ANTISPOOFING TOPO: Internal
ADDRESS SPOOFING NETWORKS:
a.b.c.144, a.b.c.151
Do you see any chance to include the dynamic learned networks / anti-spoofing settings to be read out and added to this command?
Cool command Heiko!
We build a Maestro Cluster (R80.30SP) with BGP activated between Checkpoint and Cisco switches.
The interfaces are configured to learn topology from routes and do Anti-Spoofing based on IF topology.
Routes will be exchanged correctly to and from Checkpoint VS.
When we had a configuration problem and one network was learned on two interfaces, we learned, that topology from routes are working fine because we got spoofing messages from one direction until we removed the
...;- « Previous
-
- 1
- 2
- Next »