Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tepeeeeei
Explorer
Jump to solution

exclude anti-spoofing for communication from specific IP addresses

Dear Team,

In the given network environment, is there a way to configure the anti-spoofing settings to exclude communications from specific IP addresses only? The environment is as follows:

  • Check Point 6200
  • OS: R81.10
  • Anti-spoofing enabled on "external" and "internal" interfaces
  • Topology "external" : External
  • Topology "internal" : 10.10.0.0/16

The internal topology is set to 10.10.0.0/16,

but communication from 10.10.254.240/28 comes through the external interface.

Is there a good way to exclude this?

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

Yes, select the "Don't check packets from" option on the External interface:

exclude.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
5 Replies
Timothy_Hall
Legend Legend
Legend

Yes, select the "Don't check packets from" option on the External interface:

exclude.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
tepeeeeei
Explorer

I can't believe it was such a simple solution!
I feel a bit embarrassed for asking, but thank you for your help.

Just to confirm, with this setting, it will behave as follows, right?

  • This setting only disables the spoofing check for packets with the specified IP addresses coming from the external interface.
  • If a packet with the specified IP address as its source comes from the internal side, it won't be considered spoofing either, because the internal topology is set to 10.10.0.0/16.

Thanks again for your assistance, and have a great day!

0 Kudos
the_rock
Legend
Legend

Not exactly. That setting lets you exempt whatever IP ranges you do NOT want checked for anti spoofing that hit external interface. Be careful though...usually, people may have external peer IPs there, as it may happen there are VPN issues until you place the peer ip address in there. Just my experience, but every case is different. Btw, that setting ONLY works with external or VTI interface, as vti is technically considered "extension" of external interface.

 

For packets coming from internal side, its got nothing to do with that setting, as it would hit internal interface, not external.

konrado_91
Explorer

Hey Tim,

Thank You for pointing out solution to this problem as we run into the same predicament last week. Follow up question on this topic:

Do we need to disable button "Calculate topology automatically based on routing information" for Your solution to work? or we can keep it enabled(as we prefer keep it that way)?

Zrzut ekranu 2024-12-09 113615.jpg

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

You shouldn't need to disable that option to my knowledge, the override should still work.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events