Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
d8c70a99-a39f-4
Participant

Local interface address spoofing

Hi, 

Another tricky one to explain Smiley Sad

In Azure i use UDR to route traffic out of the cloudguard. 

I then have an LoadBalancer forwarding the traffic for its extrnal IP to the Cloudguard and then onto the internal zone on a VM.

When i try to connect to the loadbalancer external IP the cloudguard is blocking the connection due to Local interface address spoofing.

How can i get round this issue?

Thanks

3 Replies
Richard_Cove
Contributor

Probably routing issue, check your UDRs and have you added a route for the internal networks to Gaia?

Something like 

clish –C “set static-route 10.0.2.0/24 nexthop gateway address 10.0.1.1 on”

where 10.0.1.0/24 is the internal subnet

From sk115276

  • Local interface address spoofing drops indicate that the Security Gateway / Cluster member received a packet with a source IP address that belongs to one of the local interfaces on the Security Gateway / Cluster member.

  • Local interface address spoofing

    Understand why there is traffic with source IP address that belongs to one of the interfaces on the Security Gateway / Cluster member.

    Possible reasons:

    • Routing issue:

      The traffic is being returned to the Security Gateway / Cluster from the next hop.
      Traffic will be returned with a source IP address that belongs to the Security Gateway / Cluster.
0 Kudos
d8c70a99-a39f-4
Participant

Ok, so i think i understand the problem, but not how to resolve. 

The issue i think is, that the outbound request from the the VM is routed out of the checkpoint which then hits the public IP of the Loadbalancer. The loadbalancer then NATs the requests back to the Cloudguard which then NAT's onto the destination VM (WebServer) which is also set to route all traffic out of the checkpoint.

So it think it this issue "Understand why there is traffic with source IP address that belongs to one of the interfaces on the Security Gateway / Cluster member."

Problem is how do i fix it? I want all traffic to be routed out of the checkpoint for all subnets, but also want to be able to NAT traffic from the loadbalancer to other endpoints via the checkpoint?

Help!

0 Kudos
Matthias_Haas
Advisor

Hi,

what do you mean by

<which then hits the public IP of the Loadbalancer ?

For outbound traffic, you have to NAT the Source IP into the Checkpoint GW IP which is used as the Backend Pool for the Loadbalancer. The Loadbalancer will then NAT the GW IP into the Public IP. (so do not NAT the internal IP into the Public IP on the FW, which you may have now)

Matthias

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.