This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cdooer
Participant
‎2021-06-22 06:33 AM

Private IP showing up on external interface

Hey folks. Our SecOps team noticed some irregular log entries on our gateways coming from what appears to be a private IP (10.10.x.x), and after some investigation, the traffic is only showing up on our Internet facing external interfaces. The traffic is blocked, so it isn't a security concern really, but our SecOps team thinks we should open a TAC case to figure out how it's happening. Anyone ever seen something like this before? I obviously know about IP spoofing, just wondering how a spoofed private IP makes it all the way to our gateways.

0 Kudos
2 Replies
the_rock
Legend
Legend
‎2021-06-22 07:11 AM

Some things to check:

-on Gaia OS level, can you confirm external interface is configured properly?

-what do you see when running ifconfig -a from ssh?

-in topology in dashboard, what does that interface show?

If you could send screenshots of this (obviously, you can blur out the IP itself), might be helpful.

0 Kudos
Wolfgang
Authority
Authority
‎2021-06-22 01:06 PM

@cdooer 

I think IP spoofing is the right idea. As I understand you can see packets blocked on your external interface with private IP as source. It‘s possible to send a packet to your gateways external public IP with an private IP as source. All ISPs should not route packets with private IPs as destination, but with private IPs as source this is possible. Some ISPs allow this some not.

It‘s too possible a device in front of your external connection does create these traffic.

Wolfgang

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events