This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Platinum
MVP Platinum
‎2023-11-27 02:09 PM
Jump to solution

Anti spoofing on Azure vmss CP gateways

Hey guys,

I really hope someone can clarify this for me. Had such strange issue with customer that is running 2 new instances of Azure vmss gateways on R81.20 and 2 still on R81 (until they are removed this or next week).

Anyway, what happened was I realized I could not ssh into either new R81.20 fws and once smart console launched, I saw anti spoofing was enabled, though no changes were done since week ago, when guy from CP PS team told us to leave spoofing off, as it was not supported, which I still find a bit odd, as it does not state that anywhere in the documentation (at least that I can find).

So, what we did was had to reset SIC on both firewalls, as smart dashboard was showing no communication and once that was done and spoofing disabled manually, all was well.

Here are 2 most pressing questions:

1) Is anti spoofing officially supported on Azure vmss CP firewalls?

2) Why would spoofing out of blue be enabled??!! Makes me wonder if there is some sort of script or something on mgmt server that would cause this. Its worth mentioning that on their old R81 vmss gateway, anti spoofing was ENABLED without any problems.

Anyway, I opened a TAC case to see what they have to say, because all this has me baffled, for sure.

Thanks as always for the suggestions/help.

Best regards,

Andy

Best,
Andy
0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-11-27 03:01 PM
Jump to solution

It's definitely in the VMSS deployment guide known limitations:

"Anti-Spoofing is disabled by default on the VMSS instances eth0 and eth1 and must not be enabled"

Source: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Content/Topics-Azure-V...

CCSM R77/R80/ELITE

View solution in original post

the_rock
MVP Platinum
MVP Platinum
‎2023-11-28 07:53 AM
Jump to solution

Hey guys,

Just to update on this quick. I had this super nice guy from TAC call me and he explaied how anti spoofing works on Azure and why its not needed on CP gateway side. I told him that in R81, feature was enabled, but I suppose that may had been due to the fact it was not fully implemented yet on load balancer end.

Anyway, I ended up running bunch of commands from below 2 links and it shows anti spoofing is 100% off, as it should be. I still dont know how something like this could happen in the first place out of the blue, but TAC assured me there is no script on the mgmt server that would cause this at all, so Im comfortable with that answer and wont lose any sleep over this, as they say : - )

Thanks again for the help.

Andy

 

https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-check-if-Anti-Spoofing-is-enabled-and-...

https://community.checkpoint.com/t5/Scripts/Show-AntiSpoofing-Networks-via-CLI/m-p/38776

Best,
Andy

View solution in original post

0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-11-27 02:59 PM
Jump to solution

PS guy sent me this, so it does state anti spoofing must not be enabled. It still baffles me how it got enabled out of the blue, makes no logical sense. Im not Azure export to dig into thus further, but to me, seems there is some sort of script or tool on mgmt server that could have caused it, but sadly, I have no proof of it...

Andy

CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide (checkpoint.com)

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-11-27 03:01 PM
Jump to solution

It's definitely in the VMSS deployment guide known limitations:

"Anti-Spoofing is disabled by default on the VMSS instances eth0 and eth1 and must not be enabled"

Source: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Content/Topics-Azure-V...

CCSM R77/R80/ELITE
the_rock
MVP Platinum
MVP Platinum
‎2023-11-27 03:08 PM
In response to Chris_Atkinson
Jump to solution

Correct Chris, PS guy also sent me the same just before you responded. BUT, it still begs a question...how can such a feature change on its own?? To me, it makes no sense. Thats why I was thinking there must be some sort of thing running on the mgmt that could potentially affect it? I honestly have no clue, simply my logical guess..

Thanks as always for your help.

Andy

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-11-27 03:19 PM
In response to the_rock
Jump to solution

As I recall you'll get a warning about topology/spoofing when installing policy, I've seen others who weren't aware of this limitation try to clear said message by "correcting" things.

Not saying that's what's happened here but it's one consideration.

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-11-27 03:39 PM
In response to Chris_Atkinson
Jump to solution

Never seen that message in Azure when installing policy.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-11-28 07:53 AM
Jump to solution

Hey guys,

Just to update on this quick. I had this super nice guy from TAC call me and he explaied how anti spoofing works on Azure and why its not needed on CP gateway side. I told him that in R81, feature was enabled, but I suppose that may had been due to the fact it was not fully implemented yet on load balancer end.

Anyway, I ended up running bunch of commands from below 2 links and it shows anti spoofing is 100% off, as it should be. I still dont know how something like this could happen in the first place out of the blue, but TAC assured me there is no script on the mgmt server that would cause this at all, so Im comfortable with that answer and wont lose any sleep over this, as they say : - )

Thanks again for the help.

Andy

 

https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-check-if-Anti-Spoofing-is-enabled-and-...

https://community.checkpoint.com/t5/Scripts/Show-AntiSpoofing-Networks-via-CLI/m-p/38776

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events