This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriNarasimha005
Contributor
‎2022-08-06 02:30 AM
Jump to solution

Network Defined by Routes: Anti-Spoofing

Hi Experts,

I'd like to seek your help in configuring the Anti-spoofing config. We'll be configuring the firewalls (R81.10) in Active/Standby as follows:-

Internet Firewall eth1 (10.0.0.1/30) -> (10.0.0.2/30) Internet Router (Public IP) -> ISP -> Internet

Internet Firewall eth2 (10.2.0.1/30) -> (10.2.0.2/30) Internal Firewall -> Core switch -> Internal Networks

On eth1, as this is a private IP, should I need to just configure the "External (Internet)" or I need to select External (Internet) WITH the Anti-spoofing exceptions of the egress private IP (10.0.0.0/30)

Also, on eth2, should I need to select the "network defined by routes" or I need to manually specify the Internal networks in a network-group?

Note: We've static route (10.0.0.0/8, 172.16.0.0/16) from the Internet-facing firewalls to the Internal firewalls which is further connecting to the Core switches.

Thanks for your support !

Labels
0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2022-08-06 04:34 AM
Jump to solution

The simplest explanation is that if a given source address is expected to communicate from behind a particular interface it needs to be accounted for in its anti-spoofing configuration. 

The Network defined by routes option can be helpful in reducing the ongoing manual maintenance of the spoofing configuration (note it doesn't work precisely the same a URPF). 

CCSM R77/R80/ELITE

View solution in original post

6 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-08-06 04:34 AM
Jump to solution

The simplest explanation is that if a given source address is expected to communicate from behind a particular interface it needs to be accounted for in its anti-spoofing configuration. 

The Network defined by routes option can be helpful in reducing the ongoing manual maintenance of the spoofing configuration (note it doesn't work precisely the same a URPF). 

CCSM R77/R80/ELITE
SriNarasimha005
Contributor
‎2022-08-06 08:10 AM
In response to Chris_Atkinson
Jump to solution

Hi Mate,

Thanks for the reply. But my query is that, should be private IP address of the eth1 be included as an exception or just configuring 'External' interface works like a charm?

Also, since I'm using static route for traffic forwarding towards Internal networks, do I need to add the networks to be accounted for in the network group manually?

I'm of opinion that, 'Network defined by routes' would work for the dynamic routing and would like to get your assistance on the above.

Thanks in advance.

 

0 Kudos
_Val_
Admin
Admin
‎2022-08-06 12:33 PM
In response to SriNarasimha005
Jump to solution

Network defined by routes should include dynamic routes as well. By default the system is pulling all kernel routes every second. 

Here is where you can check the settings:

Screenshot 2022-08-06 at 21.33.01.png

Chris_Atkinson
Employee Employee
Employee
‎2022-08-06 05:14 PM
In response to SriNarasimha005
Jump to solution

I would create an exception for the private network in case there is overlap.

Static & dynamic, note we don't take the priority/rank into consideration here.

CCSM R77/R80/ELITE
0 Kudos
SriNarasimha005
Contributor
‎2022-08-06 08:39 PM
In response to Chris_Atkinson
Jump to solution

Hi Mate,

Thanks for your help so far. From the reply, I'd assume, that 'network defined by routes' would consider static route as well to calculate topology behind an interface (and not just dynamic routing).

And, final one, we've a remote-access VPN solution (non-checkpoint product) where users are provisioned with the IP address of 10.19.5.0/24. Should I need to create an exception for the same on "External" interface?

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-08-06 11:07 PM
In response to SriNarasimha005
Jump to solution

If the clients on this private range are accessing things behind the Check Point routing in via it's external interface then most likely yes.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events