Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cem82
Contributor

Antispoofing with dynamic routing

Hi

 

For antispoofing config (on R80.30 and R81.10), is it fine to be internal > defined by routes on the OSPF/BGP interfaces?  Do routing changes take effect immediately in terms of the antispoofing checks or does it recalculate every X amount of time etc?  Any gotcha that we should be aware of?

 

Thanks

0 Kudos
3 Replies
the_rock
Legend
Legend

That is exactly how you should have it. I did that for 2 customers and works fine for more than a year now, no issues. For your reference, below is from Smart console doc and this applies literally to any R80+ version:

  • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

R80.20 smart console guide 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Yes network defined by routes will work fine, the routing table is checked for updates every 1 second and the topology updated accordingly based on this setting:

update.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Tobias_Moritz
Advisor

If you have overlapping routes, you should read my post here:
https://community.checkpoint.com/t5/Security-Gateways/Security-Flaw-in-Dynamic-Anti-Spoofing-R80-20-...

Summary: Check Points implementation of "Antispoofing defined by routes" does not follow the RfC or the normal routing logic (most specific route is taken). It will not block anything needed, but allows more than needed.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events