This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Dor_Marcovitch
Advisor
‎2017-12-19 03:18 AM

Dynamic Routing Anti Spoofing

hey

1) how can you enforce AntiSpoofing on interfaces that learn routes from dynamic protocol  (OSPF / RIP )?

2) i also have one network which is directlry connected to the FW and in a DR scenario someone will shut the interface and this network will failover to the DR so i need the FW to be updated acordingly with the anti-spoofing configuration

FW Version is R77.30

0 Kudos
Reply
7 Replies
PhoneBoy
Admin
Admin
‎2017-12-19 04:17 PM

Antispoofing based on dynamic routing configuration is something that is planned for a later release.

Any updates to the anti-spoofing configuration could be scripted (with the R80.10 API or even with dbedit) but a policy installation is required for it to take effect.

Reply
scottikon
Contributor
‎2019-06-07 01:42 AM
In response to PhoneBoy

Is there any more update on this topic? I am struggling to find much information.

 

Thanks

0 Kudos
Reply
Bryce_Myers
Collaborator
‎2019-06-07 02:17 PM
In response to scottikon

If you are running 80.20 gateway and management you should be able to select "Network Defined by Routes". I haven't tested this in my environment dynamic routing.
0 Kudos
Reply
scottikon
Contributor
‎2019-06-08 04:29 AM
In response to Bryce_Myers

Thank you, 

That is an option we can look to test for one of the interfaces. The other interface is defined as external so I don't have that option. 

0 Kudos
Reply
scottikon
Contributor
‎2019-06-08 05:19 AM
In response to Bryce_Myers

Thank you. 

This is something we can try on one of our interfaces that is used for BGP. 

The second interface we have is configured as External topology so we don't have the option to select "networks defined by routes". 

We will just have to create a group and manually update that when we know of new subnets that are to be advertised to us. 

Thanks

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion
‎2019-06-08 11:10 AM
In response to scottikon

I think you should ask yourself the question here, why are you using External on that interface if you still need to Anti-Spoofing?
In fact an interface set to external with enabled Anti-Spoofing will just use a scheme that says: anything is allowed that is not defined by all other (non External) interfaces.
Regards, Maarten
Reply
Bryce_Myers
Collaborator
‎2019-06-09 07:04 AM
In response to Maarten_Sjouw

I would agree with Maarten -- You really shouldn't have to define a custom group if you are defining it as an external interface.
0 Kudos
Reply