This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dor_Marcovitch
Advisor
‎2017-12-19 03:18 AM

Dynamic Routing Anti Spoofing

hey

1) how can you enforce AntiSpoofing on interfaces that learn routes from dynamic protocol  (OSPF / RIP )?

2) i also have one network which is directlry connected to the FW and in a DR scenario someone will shut the interface and this network will failover to the DR so i need the FW to be updated acordingly with the anti-spoofing configuration

FW Version is R77.30

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2017-12-19 04:17 PM

Antispoofing based on dynamic routing configuration is something that is planned for a later release.

Any updates to the anti-spoofing configuration could be scripted (with the R80.10 API or even with dbedit) but a policy installation is required for it to take effect.

scottikon
Contributor
‎2019-06-07 01:42 AM
In response to PhoneBoy

Is there any more update on this topic? I am struggling to find much information.

 

Thanks

0 Kudos
Bryce_Myers
Collaborator
‎2019-06-07 02:17 PM
In response to scottikon

If you are running 80.20 gateway and management you should be able to select "Network Defined by Routes". I haven't tested this in my environment dynamic routing.
0 Kudos
scottikon
Contributor
‎2019-06-08 04:29 AM
In response to Bryce_Myers

Thank you, 

That is an option we can look to test for one of the interfaces. The other interface is defined as external so I don't have that option. 

0 Kudos
scottikon
Contributor
‎2019-06-08 05:19 AM
In response to Bryce_Myers

Thank you. 

This is something we can try on one of our interfaces that is used for BGP. 

The second interface we have is configured as External topology so we don't have the option to select "networks defined by routes". 

We will just have to create a group and manually update that when we know of new subnets that are to be advertised to us. 

Thanks

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-06-08 11:10 AM
In response to scottikon

I think you should ask yourself the question here, why are you using External on that interface if you still need to Anti-Spoofing?
In fact an interface set to external with enabled Anti-Spoofing will just use a scheme that says: anything is allowed that is not defined by all other (non External) interfaces.
Regards, Maarten
Bryce_Myers
Collaborator
‎2019-06-09 07:04 AM
In response to Maarten_Sjouw

I would agree with Maarten -- You really shouldn't have to define a custom group if you are defining it as an external interface.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top