This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kadar2
Contributor
‎2024-09-16 02:52 AM

IP spoofing for just one IP Address

Dear all,

We are facing this weird situation. On the internal interface of our firewall we have configured antispoofing so that all 10.0.0.0/8 is coming from this interface, Since we have other DMZs on this firewall that have an IP address in the 10.x.x.x. form, we have excluded some (not all) of the DMZ subnets from the antispoofing mechanism of the internal interface (action: prevent and log)

My question is why aren't we getting drops for the packets that belong to the "not excluded" subnets? Out of the blue we saw drops from a DMZ IP towards a specific destination situated in the internal LAN. Traffic from the same IP to other stuff in the internal LAN is passing without any problems! Traffic from other IPs in the DMZ subnet towards the exact same destination is passing without problems! 

To sum it up:

Internal: 10.0.0.0/8

DMZ: 10.1.1.0/24 not excluded from the anitspoofing mechanism on internal:

Destination: 10.2.2.2 , 10.3.3.3 (internal subnets)

Src: 10.1.1.1 --> 10.2.2.2 , 10.3.3.3 ok

Src: 10.1.1.2 --> 10.2.2.2 NOT ok (message on log: spoofing address)

Src: 10.1.1.2 --> 10.3.3.3 ok

Any insight will be highly appreciated!

0 Kudos
9 Replies
Timothy_Hall
Legend Legend
Legend
‎2024-09-16 05:44 AM

Please post the results from this one-liner, being sure to redact any Internet-routable outside addresses:

https://community.checkpoint.com/t5/Security-Gateways/One-liner-for-Address-Spoofing-Troubleshooting...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
kadar2
Contributor
‎2024-09-16 11:55 PM
In response to Timothy_Hall

Hi Timothy,

 

Attached is the output for the related interfaces (DMZ and internal).

For one IP address from 10.20.32.0/18 subnet I get an antispoofing message when the destination address is in 10.0.0.0/8 subnet. All other IP addresses from 10.20.32.0/18 can access the same destination without any problems.

So the questions are:

Should 10.20.32.0/18 be excluded from the interfaces to be spoofed in the internal zone?

Why is just one IP address shown as spoofed? Could this be related to a setting on the specific PC?

Thank you in advance,

Katerina

 

Preview file
1 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-17 02:01 PM
In response to kadar2

Is it the ingress or egress interface that the spoofing message is occurring on?
That will determine where we need to adjust anti-spoofing settings.

0 Kudos
kadar2
Contributor
‎2024-09-17 11:44 PM
In response to PhoneBoy

What you are stating is really interesting, because the interface on which the message is occuring should not be in the path at all!!!!

I will further look into that!

What I don't understand is if directly connected interfaces of the firewall should also be excluded from the spoofing checks on the interface connecting to the internal LAN. It confuses me, since we have excluded some, but not all DMZ directly connected subnets, and everything is working fine.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-18 06:48 AM
In response to kadar2

Each packet is checked for anti-spoofing twice (in ingress interface and egress interface).
Knowing where it came from is, therefore, a critical part of resolving the issue. 

0 Kudos
(1)
kadar2
Contributor
‎2024-09-19 01:11 AM
In response to PhoneBoy

Thanks for the info.

Your questions helped me clarify the issue.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-19 07:33 AM
In response to kadar2

Did you find the source of the issue?

0 Kudos
kadar2
Contributor
‎2024-09-24 02:08 AM
In response to PhoneBoy

Hi!

It seems that the issue was within the laptop itself, so we have arranged for a fresh installation of operating system and applications. Nothing could be found on the network side or on the Firewall.

0 Kudos
the_rock
Legend
Legend
‎2024-09-18 08:48 AM

See if this sk helps.

https://support.checkpoint.com/results/sk/sk115276

Also, here is important point about anti-spoofing options.

Andy

 

Interface - Topology Settings (checkpoint.com)

 

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

  • Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.

  • Override - Override the default setting.

If you Override the default setting:

  • Internet (External) - All external/Internet addresses

  • This Network (Internal) -

    • Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface

    • Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface

    • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

    • Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface

    • Interface leads to DMZ - The DMZ that directly connects to this internal interface

VPN Tunnel Interfaces

If the interface is part of a VPN Tunnel

the_rock_0-1726674511411.gif

 

, then the interface Leads To a Point to Point network. The interface is one end of the point to point connection. All traffic in the network behind the interface is part of the point to point connection. Click Override to define a specific network.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events