Re: IP spoofing for just one IP Address

kadar2

Dear all,

We are facing this weird situation. On the internal interface of our firewall we have configured antispoofing so that all 10.0.0.0/8 is coming from this interface, Since we have other DMZs on this firewall that have an IP address in the 10.x.x.x. form, we have excluded some (not all) of the DMZ subnets from the antispoofing mechanism of the internal interface (action: prevent and log)

My question is why aren't we getting drops for the packets that belong to the "not excluded" subnets? Out of the blue we saw drops from a DMZ IP towards a specific destination situated in the internal LAN. Traffic from the same IP to other stuff in the internal LAN is passing without any problems! Traffic from other IPs in the DMZ subnet towards the exact same destination is passing without problems!

To sum it up:

Internal: 10.0.0.0/8

DMZ: 10.1.1.0/24 not excluded from the anitspoofing mechanism on internal:

Destination: 10.2.2.2 , 10.3.3.3 (internal subnets)

Src: 10.1.1.1 --> 10.2.2.2 , 10.3.3.3 ok

Src: 10.1.1.2 --> 10.2.2.2 NOT ok (message on log: spoofing address)

Src: 10.1.1.2 --> 10.3.3.3 ok

Any insight will be highly appreciated!

Timothy_Hall

Please post the results from this one-liner, being sure to redact any Internet-routable outside addresses:

https://community.checkpoint.com/t5/Security-Gateways/One-liner-for-Address-Spoofing-Troubleshooting...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Are you a member of CheckMates?

IP spoofing for just one IP Address