Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Harald_Hansen
Collaborator

Anti-spoofing; network defined by routes with overlapping spaces

The network defined by routes feature in anti-spoofing is a very nice addition, though severely flawed.

My example:

We have 10.0.0.0/8 defined in the network and multiple gateways interfacing with their external interfaces toward each other. If there are overlapping routes, anti-spoofing will kill traffic passing the external interface even if there is a more specific route northbound. 

This also appears to happen with VPN traffic, where the gateway kills inbound VPN traffic that is routed towards the peer on an external interface route if there is a wider route matching an internal interface.

If this is intended behaviour, no real world scenario like the ones above have been considered. 

At the moment we have to create anti-spoofing exception groups or disable anti-spoofing all-together. This is probably not what Check Point must have had in mind when designing this behaviour?

Any suggestions? 

15 Replies
This widget could not be displayed.