Discover the Future of Cyber Security:
What’s New in Check Point’s Quantum R82
Pick the Best of the Best of
CheckMates 2024!
Share your Cyber Security Insights
On-Stage at CPX 2025
Simplifying Zero Trust Security
with Infinity Identity!
Zero Trust Implementation
Help us with the Short-Term Roadmap
CheckMates Go:
What's New in R82
HeikoAnkenbrand
This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.
Last version from 09-01-2021- command:
ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -n| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -n| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -n| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -n| uniq |tr \(\)\<\>\:\" \ ;echo " "'
Now you can see the states of:
- ANTISPOOFING ENABLED
- ANTISPOOFING MODE
- ANTISPOOFING TOPO
This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.
Last version from 09-01-2021- command:
ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " 
Bob_Zimmerman
R80.20 and above support automatically setting up antispoofing topology based on the routing topology on the firewall. Other vendors call this Unicast Reverse Path Forwarding, or URPF. That is, without question, the right way to do antispoofing in any new growth.
It can still cause problems if your network depends on asymmetric pathing. For example, if traffic from a given network arrives at the firewall on one interface, but traffic to it leaves from another interface, URPF will only allow it to come in the interface which it would leave. This isn't necessarily asymmetric routing, as the traffic could be going through the same routers and just taking different L2 paths.
URPF ultimately reduces all antispoofing problems to routing problems, which are much better understood. If you still get antispoofing drops after enabling it, it means you need to fix your routing.
R80.20 and above support automatically setting up antispoofing topology based on the routing topology on the firewall. Other vendors call this Unicast Reverse Path Forwarding, or URPF. That is, without question, the right way to do antispoofing in any new growth.
It can still cause problems if your network depends on asymmetric pathing. For example, if traffic from a given network arrives at the firewall on one interface, but traffic to it leaves from another interface, URPF will only a
...;
Hi Heiko,
thanks for sharing with us the script. it is very helpful.
when I am using the script on R80.30 kernel 3.10
iam getting this errors
ANTISPOOFING ENABLED: sort: options '-gn' are incompatible
ANTISPOOFING MODE: sort: options '-gn' are incompatible
DETECT
ANTISPOOFING TOPO: sort: options '-gn' are incompatible
Internal
ADDRESS SPOOFING NETWORKS:
sort: options '-gn' are incompatible
how can we fit the script for R80.30 version ?
Thx in advance.
Vitali
Hi Heiko,
thanks for sharing with us the script. it is very helpful.
when I am using the script on R80.30 kernel 3.10
iam getting this errors
ANTISPOOFING ENABLED: sort: options '-gn' are incompatible
ANTISPOOFING MODE: sort: options '-gn' are incompatible
DETECT
ANTISPOOFING TOPO: sort: options '-gn' are incompatible
Internal
ADDRESS SPOOFING NETWORKS:
sort: options '-gn' are incompatible
how can we fit the script for R80.30 version ?
Thx in advance.
...;
PhoneBoy
Our versions using the 3.10 kernel have different userspace binaries, some of which might have different options (thus why this script is failing).
Hello Vitali,
This error messages occures, because the sort options are not anymore correct. Use "sort -g" instead of "sort -ng"
Regards Florian
Hello Heiko,
we used this command yesterday and found bond-interfaces with misleading information. I tried my best to modify your oneliner to remove matches for bondX.YZ when searching for bondX. Please find my changed oneliner below and check if it matches your expectations:
ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep "% "|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn
"2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 %$ | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 %$ | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq| grep -o false`
]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 %$ | grep external | cut -c12- | tr \) " " |sort -ng| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep
-A 30 %$|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'best regards, Arne
Hello Heiko,
we used this command yesterday and found bond-interfaces with misleading information. I tried my best to modify your oneliner to remove matches for bondX.YZ when searching for bondX. Please find my changed oneliner below and check if it matches your expectations:
ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep "% "|grep -v U|grep -v D | cut -c16-| tr -d Hi @Arne_Boettger,
I just noticed that both oneliners do not work under R81.10.
I have changed the grep sort settings from "sort -ng" to "sort -n".
What exactly did you change? Could you please mark this in red.
Thanks
Heiko
Hi
@Arne_Boettger,
I just noticed that both oneliners do not work under R81.10.
I have changed the grep sort settings from "sort -ng" to "sort -n".
What exactly did you change? Could you please mark this in red.
Thanks
Heiko
Hello,
I know that running diff on a oneliner is not an easy task. To put it in words, I changed one grep filtering cphaprob -a if to grep "% " - this makes it match only interface names followed by space. And then I changed two instances of grep -A 30 % to grep -A 30 %$ - this also makes the grep only match full interface names ending in a newline.
I hope that helps you verifying and taking over my improvements.
Hello,
I know that running diff on a oneliner is not an easy task. To put it in words, I changed one grep filtering cphaprob -a if to grep "% " - this makes it match only interface names followed by space. And then I changed two instances of grep -A 30 % to grep -A 30 %$ - this also makes the grep only match full interface names ending in a newline.
I hope that helps you verifying and taking over my improvements.
;
Cool command Heiko!
We build a Maestro Cluster (R80.30SP) with BGP activated between Checkpoint and Cisco switches.
The interfaces are configured to learn topology from routes and do Anti-Spoofing based on IF topology.
Routes will be exchanged correctly to and from Checkpoint VS.
When we had a configuration problem and one network was learned on two interfaces, we learned, that topology from routes are working fine because we got spoofing messages from one direction until we removed the advertisement for the second one.
Unfortunately in this configuration your command shows the AS configuration and the interface network but not the learned networks:
bond1.vvv
VIP a.b.c.148 VMAC address: 00:AA:BB:CC:DD:F6
IP a.b.c.148
Mask 255.255.255.248
ANTISPOOFING ENABLED: fo (true
ANTISPOOFING MODE: PREVENT
ANTISPOOFING TOPO: Internal
ADDRESS SPOOFING NETWORKS:
a.b.c.144, a.b.c.151
Do you see any chance to include the dynamic learned networks / anti-spoofing settings to be read out and added to this command?
Cool command Heiko!
We build a Maestro Cluster (R80.30SP) with BGP activated between Checkpoint and Cisco switches.
The interfaces are configured to learn topology from routes and do Anti-Spoofing based on IF topology.
Routes will be exchanged correctly to and from Checkpoint VS.
When we had a configuration problem and one network was learned on two interfaces, we learned, that topology from routes are working fine because we got spoofing messages from one direction until we removed the
...;
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY