Does anyone know of a way to see your anti-spoofing configuration per interface on the CLI?
I don't think there is a direct way to pull this info from the running firewall kernel (I originally thought it could be provided by the sim ranges command), but what you can do is first run fw ctl iflist on the firewall to get the list of interfaces, and then view (not edit!) the firewall's $FWDIR/state/local/FW1/local.set file. In that file you will find a section called "if_info" and under that "objtype (gw)" and then an indented list of firewall interfaces. Under each firewall interface you will see two values:
true: antispoofing enabled on that interface
false: antispoofing is disabled on that interface
true: antispoofing action is Detect on that interface
false: antispoofing action is Prevent on that interface
I'm sure someone could script something to pull this info out of the file a bit easier...
-- My Book "Max Power: Check Point Firewall Performance Optimization" Second Edition Coming Soon
Hello for each interface in the topology you can set the anti-spoofing.
Yes - I know it can be done in the GUI.
I want to know if anyone has found a way to check it on the local gateway. The GUI is currently very time consuming to audit, but scripting to gateways is very simple.
I'm guessing since its part of the policy, it won't be super easy to find on the local gateway.
Hello Bryce I think this info should be useful
fw ctl set int fw_antispoofing_enabled 0sim feature anti_spoofing off ; fwaccel off ; fwaccel on
fw ctl set int fw_antispoofing_enabled 1sim feature anti_spoofing on ; fwaccel off ; fwaccel on
This was posted on the My Top 3 Check Point CLI commands
Isn't that just a global anti-spoofing setting? I can't tell what the configuration per interface is.
Firewall CLI or R80+ SMS CLI?
Firewall CLI at the moment.
Tim - this is great information! I'm going to build a script to check for these settings on the gateway.
Looking on my R80.10 gateway, for each interface, I also see interface_topology which tells you what subnets are "valid" on a given interface (assuming that's useful to your task).
Yep that same $FWDIR/state/local/FW1/local.set on the firewall does show the calculated network topology for each interface as well as the anti-spoofing settings. Could definitely be handy if there are lots of nested groups specified in the anti-spoofing settings that makes figuring out the actual topology (and resulting anti-spoofing enforcement) difficult from the SmartDashboard/SmartConsole.
I think there is an opportunity to leverage GUIDBedit from the management CLI to look at the policy, but even if its changed in the policy - if it hasn't been deployed, the gateway doesn't actually have the anti-spoofing settings.
Retrieving data ...