Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Show AntiSpoofing Networks via CLI

HeikoAnkenbrand
Champion Champion
Champion

esasn123.JPG

This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.

Last version from 09-01-2021- command:

 


   ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " 
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(1)
38 Replies

Bob_Zimmerman
Authority
Authority

R80.20 and above support automatically setting up antispoofing topology based on the routing topology on the firewall. Other vendors call this Unicast Reverse Path Forwarding, or URPF. That is, without question, the right way to do antispoofing in any new growth.

It can still cause problems if your network depends on asymmetric pathing. For example, if traffic from a given network arrives at the firewall on one interface, but traffic to it leaves from another interface, URPF will only a

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Steve_Vandegaer
Contributor

Could we add zones to the output?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Vitali_Ronkin
Participant

Hi Heiko, 

 

thanks for sharing with us the script. it is very helpful. 

when I am using the script on R80.30 kernel 3.10 

iam getting this errors 

 

ANTISPOOFING ENABLED: sort: options '-gn' are incompatible
 ANTISPOOFING MODE: sort: options '-gn' are incompatible
DETECT
 ANTISPOOFING TOPO: sort: options '-gn' are incompatible
Internal
 ADDRESS SPOOFING NETWORKS:
sort: options '-gn' are incompatible

 

how can we fit the script for R80.30 version ? 

 

Thx in advance. 

 

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

PhoneBoy
Admin
Admin

Our versions using the 3.10 kernel have different userspace binaries, some of which might have different options (thus why this script is failing).

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Florian_Ruch
Explorer

Hello Vitali,

This error messages occures, because the sort options are not anymore correct. Use "sort -g" instead of "sort -ng"

 

Regards Florian

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Arne_Boettger
Collaborator

Hello Heiko,

we used this command yesterday and found bond-interfaces with misleading information. I tried my best to modify your oneliner to remove matches for bondX.YZ when searching for bondX. Please find my changed oneliner below and check if it matches your expectations:


   ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep "% "|grep -v U|grep -v D | cut -c16-| tr -d 
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


(1)

HeikoAnkenbrand
Champion Champion
Champion

Hi @Arne_Boettger,

I just noticed that both oneliners do not work under R81.10.

I have changed the grep sort settings from "sort -ng" to "sort -n".

What exactly did you change? Could you please mark this in red.

Thanks
Heiko

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Arne_Boettger
Collaborator

Hello,

I know that running diff on a oneliner is not an easy task. To put it in words, I changed one grep filtering cphaprob -a if to grep "% " - this makes it match only interface names followed by space. And then I changed two instances of grep -A 30 % to grep -A 30 %$ - this also makes the grep only match full interface names ending in a newline.

I hope that helps you verifying and taking over my improvements.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Axel_Pabich
Explorer

Cool command Heiko!

We build a Maestro Cluster (R80.30SP) with BGP activated between Checkpoint and Cisco switches.
The interfaces are configured to learn topology from routes and do Anti-Spoofing based on IF topology.
Routes will be exchanged correctly to and from Checkpoint VS.

When we had a configuration problem and one network was learned on two interfaces, we learned, that topology from routes are working fine because we got spoofing messages from one direction until we removed the

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free