This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Neo_Alderson
Explorer
‎2022-07-12 02:02 AM

Local interface address spoofing with Https service

Hi all.

I have a problem with my checkpoint FW which's begun about 1 months ago.

The fw has blocked https traffic with some informations, like below:

Message Information              Local interface address spoofing

Description                               https Traffic Dropped from 192.168.x.x to 10.x.x.x

Note that 192.168.x.x is virtual inbound fw IP and 10.x.x.x is a internal server IP

It happenned the first in June 13 until now.

I use Checkpoint smart console R81.

Please help me or explain why and please let me know how to resovle that.

Thanks a lot.

 

0 Kudos
2 Replies
Tobias_Moritz
Advisor
‎2022-07-12 07:38 AM

That's an anti-spoofing error, which means that the firewall is seeing traffic incoming on an interface, where IP packets with such a source address are not expected.

You have to check the anti-spoofing settings of all interfaces of that firewall (in Smart Console -> Gateway Settings -> Network Management -> Edit interfaces -> Topology).

Please take in mind, that having an interface with anti-spoofing set to "Internet (External)" does not mean it will accept all IP sources. Instead it means it will accept all IP sources which are not covered by the specific anti-spoofing settings of all other interfaces.

Maybe you use groups on some internal interfaces for anti-spoofing and someone added a network to that group, not knowing it will affect anti-spoofing?

Maybe you use anti-spoofing defined by routes and (dynamic) routing has changed?

0 Kudos
Sam2
Contributor
‎2022-07-12 11:35 AM
In response to Tobias_Moritz

Building on this, if you can see accept logs from previous days that it was working, you will be able to see the interface the traffic was accepted on vs the interface it is now being dropped on which will hopefully give some indication

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top