Yes - I know it can be done in the GUI.

I want to know if anyone has found a way to check it on the local gateway.  The GUI is currently very time consuming to audit, but scripting to gateways is very simple.

I'm guessing since its part of the policy, it won't be super easy to find on the local gateway.

Hello Bryce I think this info should be useful

fw ctl set int fw_antispoofing_enabled 0
sim feature anti_spoofing off ; fwaccel off ; fwaccel on

fw ctl set int fw_antispoofing_enabled 1
sim feature anti_spoofing on ; fwaccel off ; fwaccel on

This was posted on the https://community.checkpoint.com/thread/5319-my-top-3-check-point-cli-commands 

Isn't that just a global anti-spoofing setting?  I can't tell what the configuration per interface is.

Hello Pablo,

How can we disable anti spoofing from command line in R80.20?

In R80.20 GA the following command has been removed:

   sim feature anti_spoofing off

[Expert@pa:0]# sim feature anti_spoofing off

        Command 'sim feature' has been replaced. Use 'fwaccel feature' instead.

[Expert@pa:0]# fwaccel feature anti_spoofing off    
Invalid feature 'anti_spoofing'
Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

Any suggestions?

Many thanks.

Kind regards,

Kris

Firewall CLI at the moment.

I don't think there is a direct way to pull this info from the running firewall kernel (I originally thought it could be provided by the sim ranges command), but what you can do is first run fw ctl iflist on the firewall to get the list of interfaces, and then view (not edit!) the firewall's $FWDIR/state/local/FW1/local.set file.  In that file you will find a section called "if_info" and under that "objtype (gw)" and then an indented list of firewall interfaces.  Under each firewall interface you will see two values:

has_addr_info (true|false)

   true: antispoofing enabled on that interface

   false: antispoofing is disabled on that interface

monitor_only (true|false)

   true: antispoofing action is Detect on that interface

   false: antispoofing action is Prevent on that interface

I'm sure someone could script something to pull this info out of the file a bit easier...

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Tim - this is great information!  I'm going to build a script to check for these settings on the gateway.

Looking on my R80.10 gateway, for each interface, I also see interface_topology which tells you what subnets are "valid" on a given interface (assuming that's useful to your task).

Yep that same $FWDIR/state/local/FW1/local.set on the firewall does show the calculated network topology for each interface as well as the anti-spoofing settings.  Could definitely be handy if there are lots of nested groups specified in the anti-spoofing settings that makes figuring out the actual topology (and resulting anti-spoofing enforcement) difficult from the SmartDashboard/SmartConsole.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon