This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2024-04-29 06:40 AM
Jump to solution

Anti-spoofing "Don't check packets from"

Hi

I got a problem with Anti-spoofing in my lab. When activating anti-spoofing on an external interface, i cannot install the policy and get this error:

anti1.JPG

anti2.JPG

running "fw unloadlocal" will fix it once, and then it will again send the same error message.

Disabling anti-spoofing on the external interface and then no problem to install the policy!

The problem is that adding the 10.1.1.0 subnet under "Don't check packets from" does not help! I still get the same error when trying to install the policy:

anti3.JPG

any ideas!

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2024-04-29 06:46 AM
Jump to solution

Just check first option under topology, not override.

Also, check this:

https://support.checkpoint.com/results/sk/sk115276

You can run ip r g 8.8.8.8 to verify routing is good, or run route command from expert mode to confirm.

Best,

Andy

Best,
Andy

View solution in original post

8 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-04-29 06:46 AM
Jump to solution

Just check first option under topology, not override.

Also, check this:

https://support.checkpoint.com/results/sk/sk115276

You can run ip r g 8.8.8.8 to verify routing is good, or run route command from expert mode to confirm.

Best,

Andy

Best,
Andy
Moudar
MVP Silver
MVP Silver
‎2024-04-29 07:33 AM
In response to the_rock
Jump to solution

Thank you Andy.

removing  "not override" was the solution for that problem!

But i still wonder what did that "override" do in that situation?  

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-04-29 07:43 AM
In response to Moudar
Jump to solution

Or maybe i need to say that it works sometimes:

anti4.JPG

i mean this ping is working sometimes and dropping some other times?!

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-04-29 07:46 AM
In response to Moudar
Jump to solution

Mark down below description and use it whenever in doubt, because in my experience, works 100% of the time, just make sure routing is 100% right.

Andy

 

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

  • Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.

  • Override - Override the default setting.

If you Override the default setting:

  • Internet (External) - All external/Internet addresses

  • This Network (Internal) -

    • Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface

    • Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface

    • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

    • Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface

    • Interface leads to DMZ - The DMZ that directly connects to this internal interface

Best,
Andy
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-04-29 07:47 AM
In response to Moudar
Jump to solution

or something like this:

anti5.JPG

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-04-29 07:53 AM
In response to Moudar
Jump to solution

If you still have issues, I would say it need more investigation. Maybe do fw monitor with -F flag and see whats happening with the traffic. Alternatively, you can do ip r g command to dst IP and make sure route is right.

Example...if dst is say 10.10.10.10, just run ip r g 10.10.10.10 from expert mode.

Andy

My lab:

[Expert@cpazurecluster1:0]# ip r g 10.10.10.10
10.10.10.10 via 10.5.0.1 dev eth0 src 10.5.0.4
cache
[Expert@cpazurecluster1:0]#

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-04-29 07:44 AM
In response to Moudar
Jump to solution

Here is the difference. Though its exact SAME description, you should NEVER change it, specially for external interface, because its auto calculated.

Interface - Topology Settings (checkpoint.com)

So, in layman's terms, if you override and set to Internet (external_ though its same as top setting, it may inadvertantly "think" its supposed to calculate the IP from some random external source.

Best,

Andy

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-04-29 06:23 PM
Jump to solution

'External' means 'everything that isn't configured on one of the internal interfaces'. So make sure your internal interfaces aren't configured to anything too broad, or with a large subnet that overlaps a smaller subnet that routes out the external interface.

Given the drop happened on the 'eth4' interface, this is the external one?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events