I am seeing something weird on an R81.20 Gateway. Our Internet-facing interface is set up in the Topology Spoofing settings with the Internet (External) box checked. The anti-spoofing action is set to Detect. We were trying to accomplish the goal of changing the action to Prevent across the board. However, we still have some 'messy" Address Spoofing Detect hits, that needs to be cleaned up first.
In this example, I see traffic hits in Logs & Monitoring when I search for "Address Spoofing" as my search filter, that shows Public IP Source, with the Public IP of our Gateway (Internet Interface) showing up as Detect.
It's my understanding with checking the box "Internet (External)" on the interface, then public IP traffic should no longer be detected as Address Spoofing.
The odd part of this traffic is, it seems to be return traffic, for example if a user had went outbound to a website 1.2.3.4 they get source port 10108 and destination port 443. Now when just searching for "Address Spoofing" I would see a session with source IP 1.2.3.4 destination port 10108 and source port 443.. so it looks like the return packets from that website.. showing up a separate Detect session.
What could cause this behavior? I had one of my co-workers open a TAC case, but I don't think he worked out the details with TAC the case ended up closed with a false answer of "you need to create an allow list for anti-spoofing" but... we have "Internet (External)" checked, so I feel this answer does not properly apply to this specific case.