This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tepeeeeei
Explorer
‎2023-04-17 08:14 PM
Jump to solution

exclude anti-spoofing for communication from specific IP addresses

Dear Team,

In the given network environment, is there a way to configure the anti-spoofing settings to exclude communications from specific IP addresses only? The environment is as follows:

  • Check Point 6200
  • OS: R81.10
  • Anti-spoofing enabled on "external" and "internal" interfaces
  • Topology "external" : External
  • Topology "internal" : 10.10.0.0/16

The internal topology is set to 10.10.0.0/16,

but communication from 10.10.254.240/28 comes through the external interface.

Is there a good way to exclude this?

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2023-04-18 04:46 AM
Jump to solution

Yes, select the "Don't check packets from" option on the External interface:

exclude.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

3 Replies
Timothy_Hall
Legend Legend
Legend
‎2023-04-18 04:46 AM
Jump to solution

Yes, select the "Don't check packets from" option on the External interface:

exclude.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
tepeeeeei
Explorer
‎2023-04-18 04:35 PM
In response to Timothy_Hall
Jump to solution

I can't believe it was such a simple solution!
I feel a bit embarrassed for asking, but thank you for your help.

Just to confirm, with this setting, it will behave as follows, right?

  • This setting only disables the spoofing check for packets with the specified IP addresses coming from the external interface.
  • If a packet with the specified IP address as its source comes from the internal side, it won't be considered spoofing either, because the internal topology is set to 10.10.0.0/16.

Thanks again for your assistance, and have a great day!

0 Kudos
the_rock
Legend
Legend
‎2023-04-18 07:39 PM
In response to tepeeeeei
Jump to solution

Not exactly. That setting lets you exempt whatever IP ranges you do NOT want checked for anti spoofing that hit external interface. Be careful though...usually, people may have external peer IPs there, as it may happen there are VPN issues until you place the peer ip address in there. Just my experience, but every case is different. Btw, that setting ONLY works with external or VTI interface, as vti is technically considered "extension" of external interface.

 

For packets coming from internal side, its got nothing to do with that setting, as it would hit internal interface, not external.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events