- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Dynamic Routing Anti Spoofing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dynamic Routing Anti Spoofing
hey
1) how can you enforce AntiSpoofing on interfaces that learn routes from dynamic protocol (OSPF / RIP )?
2) i also have one network which is directlry connected to the FW and in a DR scenario someone will shut the interface and this network will failover to the DR so i need the FW to be updated acordingly with the anti-spoofing configuration
FW Version is R77.30
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Antispoofing based on dynamic routing configuration is something that is planned for a later release.
Any updates to the anti-spoofing configuration could be scripted (with the R80.10 API or even with dbedit) but a policy installation is required for it to take effect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any more update on this topic? I am struggling to find much information.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you,
That is an option we can look to test for one of the interfaces. The other interface is defined as external so I don't have that option.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
This is something we can try on one of our interfaces that is used for BGP.
The second interface we have is configured as External topology so we don't have the option to select "networks defined by routes".
We will just have to create a group and manually update that when we know of new subnets that are to be advertised to us.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In fact an interface set to external with enabled Anti-Spoofing will just use a scheme that says: anything is allowed that is not defined by all other (non External) interfaces.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
