The network defined by routes feature in anti-spoofing is a very nice addition, though severely flawed.
My example:
We have 10.0.0.0/8 defined in the network and multiple gateways interfacing with their external interfaces toward each other. If there are overlapping routes, anti-spoofing will kill traffic passing the external interface even if there is a more specific route northbound.
This also appears to happen with VPN traffic, where the gateway kills inbound VPN traffic that is routed towards the peer on an external interface route if there is a wider route matching an internal interface.
If this is intended behaviour, no real world scenario like the ones above have been considered.
At the moment we have to create anti-spoofing exception groups or disable anti-spoofing all-together. This is probably not what Check Point must have had in mind when designing this behaviour?
Any suggestions?