This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tomas_S_
Participant
‎2018-11-07 01:28 AM
Jump to solution

Disable "Local interface address spoofing"

Hello,

we have a setup, where all the traffic is mirrored to the Checkpoint 5800 (via SPAN port).

Management and mirrored traffic interfaces both have "Anti Spoofing: Disabled",

however, since CP receives mirror of all the traffic (including one from its management interface), logs are filled with

message_info:"Local interface address spoofing" messages

(the MAC address of the mirrored packet is that of the router, not CP device).

How can we disable check for "Local interface address spoofing"?

Running R80.20.

1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion
‎2018-11-07 04:57 AM
Jump to solution

fw ctl set int fw_local_interface_anti_spoofing 0

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com

View solution in original post

5 Replies
Danny
Champion
Champion
‎2018-11-07 03:30 AM
Jump to solution

In SmartLog, just enter. not spoofing

0 Kudos
Tomas_S_
Participant
‎2018-11-07 03:57 AM
In response to Danny
Jump to solution

Wouldn't that only filter output in the view?

We are using cp_log_export, to export logs via syslog, and these are flooded with 

---

2018-11-07T11:49:58+02:00 local0.info 11.11.11.11 1: 2018-11-07T09:49:54Z ids-n2 CheckPoint 29740 - [action:"Drop"; alert:"alert"; flags:"401408"; ifdir:"inbound"; ifname:"eth1-01"; loguid:"{0x0,0x0,0x0,0x0}"; origin:"11.11.11.11"; originsicname:"cn=cp_mgmt,o=ids-n2.xx.xx.fpp84p"; sequencenum:"530"; time:"1541584194"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={637D2E66-C60F-4646-BD66-FDB8148F5F42};mgmt=ids-n2;date=1541582377;policy_name=Standard\]"; dst:"23.60.24.21"; message_info:"Local interface address spoofing"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38149"; service:"80"; src:"11.11.11.11"; ] 

...

---

messages

0 Kudos
Timothy_Hall
Champion
Champion
‎2018-11-07 04:57 AM
Jump to solution

fw ctl set int fw_local_interface_anti_spoofing 0

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com
Tomas_S_
Participant
‎2018-11-07 05:34 AM
In response to Timothy_Hall
Jump to solution

Operation succeded, but messages "Local interface address spoofing" still pour to the fw.log.

# fw ctl set int fw_local_interface_anti_spoofing 0
Set operation succeeded

# fw ctl get int fw_local_interface_anti_spoofing
fw_local_interface_anti_spoofing = 0

# sim feature anti_spoofing off; fwaccel off; fwaccel on

Command 'sim feature' has been replaced. Use 'fwaccel feature' instead.

SecureXL device disabled.

# fwaccel feature anti_spoofing off
Invalid feature 'anti_spoofing'
Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

I've also set:

# fw ctl set int fw_antispoofing_enabled = 0

0 Kudos
Tomas_S_
Participant
‎2018-11-07 06:08 AM
In response to Timothy_Hall
Jump to solution

After checkpoint reboot the issue is solved: there is no longer spoofing messages in the logs.

Thank You