This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dmartinez
Participant
Participant
‎2024-05-07 02:13 AM
Jump to solution

Antispoofing in external interfaces when Cluster IP Addresses on Different Subnets

Hello,

 

I'm working in a scenario where we have 3 interfaces with 3 public ips that now are going to be turned into a cluster. For that, I am following the workaround "Cluster IP Addresses on Different Subnets" to save public ips on those interfaces. The workaround is clear and works on lab.

 

The issue is that when using that workaround, it is mandatory to specify the antispoofing object or installation fails:

The Anti-spoofing setting for this configuration should be specific and not "This net". Usually, you should choose the Cluster IP or the Member's IP subnet or define a group with these two subnets and use it.
- Policy verification failed.

For internal interfaces, this is simple, you just add a specific network group/object with the internal interfaces as usual to override the antispoofing and thats it, but, what if like in my case these are external interfaces? What is the best practice for this? Just put the "All internet" object in the antispoofing settings of those 3 interfaces?

 

Thanks!!

CCSM
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2024-05-07 03:05 AM
Jump to solution

No - Change the Anti-Spoofing configuration of your Internet interface to "Internet (External)"

See https://support.checkpoint.com/results/sk/sk180814

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

2 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-05-07 03:05 AM
Jump to solution

No - Change the Anti-Spoofing configuration of your Internet interface to "Internet (External)"

See https://support.checkpoint.com/results/sk/sk180814

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
dmartinez
Participant
Participant
‎2024-05-07 03:08 AM
In response to G_W_Albrecht
Jump to solution

Hi Albrecht

 

I tried to delete the post as I tested your solution a couple of minutes ago and it worked. Just defining the interfaces as "Internet (External). One of them is not defined as external, so we will change it and it will work.

 

Thanks

CCSM
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events