This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Balint_Elteto
Participant
‎2019-03-06 03:33 AM

VSX anti-spoofing DETECT behavior question

Hello Everyone!

I'm wondering, is there someone, who already face the following issue with r77.30 VSX:

I set an interface anti-spoofing of a VS to DETECT, because I had many drops and have no time to set all the routings.

However the traffic is still not went through the firewall as it should be, but in the tracker, I saw the detect events.

So I had to completely turned off the ants-spoofing protection on that interface, then all is good.

What do you think, this is a bug, an undocumented feature or just I missed something in the official documentation?

Thx for the answers!

Balint

0 Kudos
4 Replies
Kaspars_Zibarts
Authority
Authority
‎2019-03-06 06:44 AM

Is it possible that traffic passed multiple VSes and/or interfaces so it was dropped somewhere else by spoofing? And when you disabled spoofing completely it covered missing interfaces?

In any case - instead of trying to fix this detect issue I would rather spend time to fix routing and spoofing Smiley Happy

You know that you can use automatic spoofing calculation based on existing routing?

Balint_Elteto
Participant
‎2019-03-07 04:11 AM

Thanks for the answer!

No other vs/interface involved. Also I see the traffic with DETECT action in the tracker.

Just not arrives to the destination.

Of course, my plan is to correct the routing for sure. But it was a strange behavior which surprised me and cause some uncomfortable hours.

I'm using the auto cal on every VS with prevent settings. But there were lot of routes missing and the "set to detect" was the fastest solution to my problem.

btw, the interface is a wrp to a virtual switch. Maybe that had something do with this.

0 Kudos
Kaspars_Zibarts
Authority
Authority
‎2019-03-07 01:08 PM
In response to Balint_Elteto

Probably silly question but I assume that pushed both topology and policy after you set spoofing to detect mode? I'm still confused how it failed to work correctly when you have tooiloto set to automatic. Sounds really strange.

0 Kudos
Balint_Elteto
Participant
‎2019-03-07 11:17 PM

Smiley Happy  I pushed the policy.

Anyway, when I'll have more time to play, I'll set up a test VS on this vsx cluster and do some test/troubleshoot.

Maybe this was some mysterious event, which will never come up again.

Thx for your notes

0 Kudos