This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vanesa_Benito_O
Contributor
‎2024-02-22 12:49 PM
Jump to solution

Firewall Antispoofing

Hello!!

I find a problem deploying a new gateway in R81.20 (open server), and i hope someone could help me. 

The management and the firewall are in different subnets. I have permormed a fw unloadlocal in the gateway before the SIC initialization process, but I have notice every traffic from remote networks are dropped by antispoofing even when the routes are well configured and I have dissabled the policy in the firewall. 

Anybody knows if there is any way to disable this antispoofing protection?

ZDEBUG.pngPolicy.png

 Best regards!

0 Kudos
1 Solution

Accepted Solutions
AmirArama
Employee
Employee
‎2024-02-22 03:07 PM
In response to Vanesa_Benito_O
Jump to solution

Yes, i double checked it on my R81.20 GW now, 

try the following commands by this order:

 fwaccel off
 fw ctl set int fw_antispoofing_enabled 0
 fwaccel on

 

verify it set to 0 by:

 fw ctl get int fw_antispoofing_enabled

 

try to initiate SIC now

 

P.s fw unloadlocal don't unload the antispoofing configuration

View solution in original post

13 Replies
the_rock
Legend
Legend
‎2024-02-22 01:05 PM
Jump to solution

Yes, but dont do that, UNLESS its Check Point in Azure, then it has to be disabled. This is where you modify it, make sure its set per route setting, as that automatically updates it, OR as long as group defined is correct.

Best,

Andy

 

Screenshot_1.png

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2024-02-22 01:07 PM
Jump to solution

To disable Anti-Spoofing either completely or partly just edit the relevant interface in SmartConsole:

  1. In SmartConsole, from the left navigation panel, click Gateways & Servers.
  2. Open the Security Gateway / Cluster object.
  3. From the left, click Network Management.
  4. Right-click on the interface and click Edit.
  5. From the left, click the General page.
  6. In the Topology section, click Modify.
the_rock
Legend
Legend
‎2024-02-22 01:07 PM
Jump to solution

Good reference

 

Interface - Topology Settings (checkpoint.com)

 

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

  • Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.

  • Override - Override the default setting.

If you Override the default setting:

  • Internet (External) - All external/Internet addresses

  • This Network (Internal) -

    • Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface

    • Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface

    • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

    • Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface

    • Interface leads to DMZ - The DMZ that directly connects to this internal interface

0 Kudos
AmirArama
Employee
Employee
‎2024-02-22 01:16 PM
Jump to solution

If your issue is that you can't initiate SIC or install the policy because of Anti spoofing drop and you can't change your antispoofing configuration and push policy because of that, and you want to disable it on the fly from cli temporaty 

Try: 

fw ctl set int fw_antispoofing_enabled 0

(1)
the_rock
Legend
Legend
‎2024-02-22 01:17 PM
In response to AmirArama
Jump to solution

EXCELLENT idea!

Best,

Andy

0 Kudos
Vanesa_Benito_O
Contributor
‎2024-02-22 01:35 PM
In response to AmirArama
Jump to solution

This is exactly my issue! But I tried to do that follow the sk117618, But it didnt works! 

The version metioned in these SK is from R77.20 to R80.40. Maybe this is the issue. I dont know in the newest version there is another way to perform this action.

0 Kudos
AmirArama
Employee
Employee
‎2024-02-22 01:42 PM
In response to Vanesa_Benito_O
Jump to solution

So you ran: fw ctl set int sim_anti_spoofing_enabled 0 -a

And turn off and on fwaccel As well?

 

If you reset SIC in the Gw side after the cprestart do you still have drops?

0 Kudos
Vanesa_Benito_O
Contributor
‎2024-02-22 01:51 PM
In response to AmirArama
Jump to solution

I try to execute this command, but it dont work

 

spoofing.png

I havent reset the sic because i didnt perform the SIC in the first place. I dont know if the antispoofing is something configured in smartconsole why is affected the traffic if the firewall hasnt policy installed...

 

0 Kudos
AmirArama
Employee
Employee
‎2024-02-22 02:25 PM
In response to Vanesa_Benito_O
Jump to solution

Yes its configured in gw object in smart dashboard. Are you saying it's fresh installed gw that never had sic or policy installed before, and still drop traffic on anti spoofing?

0 Kudos
Vanesa_Benito_O
Contributor
‎2024-02-22 02:37 PM
In response to AmirArama
Jump to solution

mm not really. I need to change the interface configuration of this firewall. So I perform the following steps

1. Clear the trust between Management and firewall (Because the new trust will be initialized in other interface)

2. cpconfig and restablish SIC password in the gateway.

3. Change the network interface and routing configuration. (An new router is added between Management and firewall)

4. I perform a fw unloadlocal (In this point I think i dont have to be worried about antispoofing) But for any not understandeble reason, it still affected traffic.

5. Try to ininitalize again the SIC. 

0 Kudos
AmirArama
Employee
Employee
‎2024-02-22 03:07 PM
In response to Vanesa_Benito_O
Jump to solution

Yes, i double checked it on my R81.20 GW now, 

try the following commands by this order:

 fwaccel off
 fw ctl set int fw_antispoofing_enabled 0
 fwaccel on

 

verify it set to 0 by:

 fw ctl get int fw_antispoofing_enabled

 

try to initiate SIC now

 

P.s fw unloadlocal don't unload the antispoofing configuration

Vanesa_Benito_O
Contributor
‎2024-02-22 03:50 PM
In response to AmirArama
Jump to solution

Thanks!! Maybe I didnt perform the commands in the correct order! 😄

0 Kudos
the_rock
Legend
Legend
‎2024-02-22 05:35 PM
In response to AmirArama
Jump to solution

Technically, turning off securexl would not have anything to do with anti-spoofing. I would double check you have it set correctly if its in production.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events