This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JorgenSpange
Contributor
2 weeks ago

Anti spoofing and management traffic

Good day!

We have a checkpoint environment where we need to route traffic to our webproxy on an internal interface.

This causes a problem for the security gateway itself as the traffic towards the proxy is sent from the mgt interface and the return traffic comes back on the internal interface, hence it's getting dropped by anti spoofing.
If I route the traffic to the webproxy through the mgt interface it works for the gateways, but not for the servers which is also consuming the proxy. 

When defining an interface as internal and using 'defined by routes' adding exceptions to anti spoofing seems to be greyed out.

Does anyone have a good solution on how to solve this?

Br

Jørgen

0 Kudos
5 Replies
emmap
Employee
Employee
2 weeks ago

Any reason why you don't want to route it all via the internal interface? The best solution is to avoid asymmetrical routing like this, so that anti-spoofing can do its job. 

0 Kudos
JorgenSpange
Contributor
2 weeks ago
In response to emmap

Yeah that would be the best, but have not figured out how I can initiate this traffic for the gateway from the internal interface.
Please let me know!

Br

0 Kudos
emmap
Employee
Employee
2 weeks ago
In response to JorgenSpange

There's no special configuration required, the gateway just follows the routing table to get to where it needs to. If the route to the destination points out the Internal interface, it will use that.

0 Kudos
JorgenSpange
Contributor
2 weeks ago
In response to emmap

Yeah right, it does. Our problem is that the return traffic will be routed directly to the mgt interface, which will cause it to be dropped by antispoofing. I dont want to route all mgt traffic via the internal interface, as long as we actually are using the dedicated mgmt interface.

0 Kudos
emmap
Employee
Employee
2 weeks ago
In response to JorgenSpange

In normal deployments, the mgmt interface is just another interface in the box, there's no separation of routing or whatever for management functions. If you want that, you can either redeploy it as VSX or look at Management Data Plane Separation.

https://support.checkpoint.com/results/sk/sk138672 < MDPS

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events