Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bryce_Myers
Collaborator
Jump to solution

CLI Anti-Spoofing Information

Does anyone know of a way to see your anti-spoofing configuration per interface on the CLI?

Basically --

  • Anti-Spoofing is Enabled (y/n)
  • Anti-Spoofing Action (Detect/Prevent)
0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Look at this article:

Show Address Spoofing Networks via CLI  

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

13 Replies
Pablo_Barriga
Advisor

Hello for each interface in the topology you can set the anti-spoofing.

0 Kudos
Bryce_Myers
Collaborator

Yes - I know it can be done in the GUI.

I want to know if anyone has found a way to check it on the local gateway.  The GUI is currently very time consuming to audit, but scripting to gateways is very simple.

I'm guessing since its part of the policy, it won't be super easy to find on the local gateway.

0 Kudos
Pablo_Barriga
Advisor

Hello Bryce I think this info should be useful

 

fw ctl set int fw_antispoofing_enabled 0
sim feature anti_spoofing off ; fwaccel off ; fwaccel on

 

fw ctl set int fw_antispoofing_enabled 1
sim feature anti_spoofing on ; fwaccel off ; fwaccel on

This was posted on the https://community.checkpoint.com/thread/5319-my-top-3-check-point-cli-commands 

Bryce_Myers
Collaborator

Isn't that just a global anti-spoofing setting?  I can't tell what the configuration per interface is.

0 Kudos
Kris_Pellens
Collaborator

Hello Pablo,

How can we disable anti spoofing from command line in R80.20?

In R80.20 GA the following command has been removed:

   sim feature anti_spoofing off

[Expert@pa:0]# sim feature anti_spoofing off

        Command 'sim feature' has been replaced. Use 'fwaccel feature' instead.

[Expert@pa:0]# fwaccel feature anti_spoofing off    
Invalid feature 'anti_spoofing'
Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

Any suggestions?

Many thanks.

Kind regards,

Kris

Timothy_Hall
Legend Legend
Legend

Firewall CLI or R80+ SMS CLI?

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Bryce_Myers
Collaborator

Firewall CLI at the moment.

0 Kudos
Timothy_Hall
Legend Legend
Legend

I don't think there is a direct way to pull this info from the running firewall kernel (I originally thought it could be provided by the sim ranges command), but what you can do is first run fw ctl iflist on the firewall to get the list of interfaces, and then view (not edit!) the firewall's $FWDIR/state/local/FW1/local.set file.  In that file you will find a section called "if_info" and under that "objtype (gw)" and then an indented list of firewall interfaces.  Under each firewall interface you will see two values:

has_addr_info (true|false)

   true: antispoofing enabled on that interface

   false: antispoofing is disabled on that interface


monitor_only (true|false)

   true: antispoofing action is Detect on that interface

   false: antispoofing action is Prevent on that interface

I'm sure someone could script something to pull this info out of the file a bit easier...

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Bryce_Myers
Collaborator

Tim - this is great information!  I'm going to build a script to check for these settings on the gateway.

0 Kudos
PhoneBoy
Admin
Admin

Looking on my R80.10 gateway, for each interface, I also see interface_topology which tells you what subnets are "valid" on a given interface (assuming that's useful to your task).

0 Kudos
Timothy_Hall
Legend Legend
Legend

Yep that same $FWDIR/state/local/FW1/local.set on the firewall does show the calculated network topology for each interface as well as the anti-spoofing settings.  Could definitely be handy if there are lots of nested groups specified in the anti-spoofing settings that makes figuring out the actual topology (and resulting anti-spoofing enforcement) difficult from the SmartDashboard/SmartConsole.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Look at this article:

Show Address Spoofing Networks via CLI  

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Bryce_Myers
Collaborator

I think there is an opportunity to leverage GUIDBedit from the management CLI to look at the policy, but even if its changed in the policy - if it hasn't been deployed, the gateway doesn't actually have the anti-spoofing settings.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events