This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ilovecheckpoint
Participant
‎2024-04-29 07:02 AM

Antispoofing and VPN on Domain-based VPN

We have a Checkpoint gateway who has plenty of vpn site to site with other Checkpoint managed by our organisation.

We use domain base VPN on both star/mesh mode.

I need to proper configure antispoofing on prevent mode.

Should I add on both ends "Dont't check packets from" including encryption domains, to prevent packets to be dropped by antispoofing?

On FWA to configure "Dont't check packets from" of encryption domain B, and viceversa? 

 

0 Kudos
8 Replies
_Val_
Admin
Admin
‎2024-04-29 07:09 AM

No, just plain physical topology will be enough

0 Kudos
Ilovecheckpoint
Participant
‎2024-04-29 07:23 AM
In response to _Val_

Hello Val,

Thank you for your answer.

On Gateway A, a VSX, the one who has plenty of vpn, the interface is set as external one.

When "Dont't check packets from" is unselected, on detect mode, all logs are seen as address spoofing.

On Gateway B (the other vpn end), "Dont't check packets from" is selected, for only mobile network configured on itself. No spoofing is detected/prevented.

 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-04-29 10:54 AM
In response to Ilovecheckpoint

In antispoofing, External takes the topology of every Internal interface, combines them all, then logically inverts them into a "NOT Internal" topology definition. If antispoofing is flagging traffic on an external interface, that means one or more of your internal interfaces are configured incorrectly. My bet is there's a manual group on one or more internal interfaces which contains 10.0.0.0/8 or something similarly broad.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-04-29 10:09 AM

All you do is this...simply add PEER's external IP into that group. You dont even need anything from the enc. domain, all it cares about is external peer's address.

Andy

 

 

Best,
Andy
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-05-03 06:08 AM

Networks that belongs to VPN peers in route-based mode are usually added in group for don't check packet for

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-05-03 06:23 AM
In response to CheckPointerXL

Interesting...personally, I never had to do that and works fine.

Andy

Best,
Andy
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2024-05-03 08:11 AM

You should be able to set your interior-facing interfaces to "Defined by routes" for all gateways.  On the vpnt interfaces, set those with anti-spoofing disabled.  You exterior-facing interfaces (to internet) should remain as External.  Interfaces facing local-attached LANs (networks with no downstream next-hop) should remain as "This network" (not a static group).

I've moved just about all my customers to this dynamically-calculated topology and life has been pretty good.  We can do dynamic and static routing on both interior and VTI networks as needed.   Yep, it works on VSX, too.

 

"Defined by routes" will consult the RouteD FIB every few seconds for topology calculation and keep your network flexible at all points.  With R80.30+, you should almost(*) never have to use a hard-set group object to define topology anymore.

 

(*) Yes, "almost never"; no doubt someone has some special scenario, but this should be the exception rather than the rule now.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-05-03 08:15 AM
In response to Duane_Toler

i agree with your scenario

especially with vsx, absolutely suggest to use network defined by routes ; stay far away from "automatically calculated", which it creates a lot of duplicate objects that, in some scenario, it raises a lot of hard issues

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events