Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
vas
Contributor
Jump to solution

Network Defined by Routes: Anti-Spoofing

Hi Experts,

I'd like to seek your help in configuring the Anti-spoofing config. We'll be configuring the firewalls (R81.10) in Active/Standby as follows:-

Internet Firewall eth1 (10.0.0.1/30) -> (10.0.0.2/30) Internet Router (Public IP) -> ISP -> Internet

Internet Firewall eth2 (10.2.0.1/30) -> (10.2.0.2/30) Internal Firewall -> Core switch -> Internal Networks

On eth1, as this is a private IP, should I need to just configure the "External (Internet)" or I need to select External (Internet) WITH the Anti-spoofing exceptions of the egress private IP (10.0.0.0/30)

Also, on eth2, should I need to select the "network defined by routes" or I need to manually specify the Internal networks in a network-group?

Note: We've static route (10.0.0.0/8, 172.16.0.0/16) from the Internet-facing firewalls to the Internal firewalls which is further connecting to the Core switches.

Thanks for your support !

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

The simplest explanation is that if a given source address is expected to communicate from behind a particular interface it needs to be accounted for in its anti-spoofing configuration. 

The Network defined by routes option can be helpful in reducing the ongoing manual maintenance of the spoofing configuration (note it doesn't work precisely the same a URPF). 

CCSM R77/R80/ELITE

View solution in original post

6 Replies
Chris_Atkinson
Employee Employee
Employee

The simplest explanation is that if a given source address is expected to communicate from behind a particular interface it needs to be accounted for in its anti-spoofing configuration. 

The Network defined by routes option can be helpful in reducing the ongoing manual maintenance of the spoofing configuration (note it doesn't work precisely the same a URPF). 

CCSM R77/R80/ELITE
vas
Contributor

Hi Mate,

Thanks for the reply. But my query is that, should be private IP address of the eth1 be included as an exception or just configuring 'External' interface works like a charm?

Also, since I'm using static route for traffic forwarding towards Internal networks, do I need to add the networks to be accounted for in the network group manually?

I'm of opinion that, 'Network defined by routes' would work for the dynamic routing and would like to get your assistance on the above.

Thanks in advance.

 

0 Kudos
_Val_
Admin
Admin

Network defined by routes should include dynamic routes as well. By default the system is pulling all kernel routes every second. 

Here is where you can check the settings:

Screenshot 2022-08-06 at 21.33.01.png

Chris_Atkinson
Employee Employee
Employee

I would create an exception for the private network in case there is overlap.

Static & dynamic, note we don't take the priority/rank into consideration here.

CCSM R77/R80/ELITE
0 Kudos
vas
Contributor

Hi Mate,

Thanks for your help so far. From the reply, I'd assume, that 'network defined by routes' would consider static route as well to calculate topology behind an interface (and not just dynamic routing).

And, final one, we've a remote-access VPN solution (non-checkpoint product) where users are provisioned with the IP address of 10.19.5.0/24. Should I need to create an exception for the same on "External" interface?

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

If the clients on this private range are accessing things behind the Check Point routing in via it's external interface then most likely yes.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events