Hello community,
I think some of you did really appreciate the new Anti-Spoofing feature in R80.20 which finally allowed us to define Anti-Spoofing by routes, which makes admins live easier as only routing has to be configured correctly (and it allows some dynamic routing scenrios to work without scripting)
My team was also happy about that and tests showed that is was working. Well, at least we thought so.
While this feature is not blocking traffic it should allow, it allows traffic which it shouldn't.
Maybe we were expecting too much or did not understand the documentation correctly, so please tell me, what you think.
Please take a look at this very simple static lab setup (I guess it is also a pretty common one in small real life setups):
What do you think what happens, when you send a spoofed IP packet which has a source address of 10.0.5.1 from intranet to firewall?
We expected it would be dropped by Anti-Spoofing, because routing table on gateway says this address would be routed to DMZ A and not to Intranet. There are two reasons for this routing decision (one would be enough):
- more specific route for this IP address on DMZ A instead of Intranet
- directly connected instead of static route
There is only one scenario, where gateway would send traffic to this IP address over the intranet heading interface from the routing point of view: If gateways interface to DMZ A is down. But in our test case, all interfaces are up and working.
So routing clearly says, this IP address belongs to DMZ A and therefor IP packets which such a source address should never come from Intranet.
Unfortunately, this is not how Checkpoint implementation is working currently. This spoofed traffic is accepted.
It looks like Checkpoint implementation is just grabbing all routing table entries for the interfaces and not takes care which routes have higher priority if conflicts exists and how routing decision is really done.
So now the question to the community and Checkpoint staff: It this the expected behaivior?
Thank you for any ideas!
---
All tests were done with R80.30 JHFA T191 on Gaia 2.6.