Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cem82
Participant

Antispoofing with dynamic routing

Hi

 

For antispoofing config (on R80.30 and R81.10), is it fine to be internal > defined by routes on the OSPF/BGP interfaces?  Do routing changes take effect immediately in terms of the antispoofing checks or does it recalculate every X amount of time etc?  Any gotcha that we should be aware of?

 

Thanks

0 Kudos
3 Replies
the_rock
Champion
Champion

That is exactly how you should have it. I did that for 2 customers and works fine for more than a year now, no issues. For your reference, below is from Smart console doc and this applies literally to any R80+ version:

  • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

R80.20 smart console guide 

0 Kudos
Timothy_Hall
Champion
Champion

Yes network defined by routes will work fine, the routing table is checked for updates every 1 second and the topology updated accordingly based on this setting:

update.png

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Tobias_Moritz
Advisor

If you have overlapping routes, you should read my post here:
https://community.checkpoint.com/t5/Security-Gateways/Security-Flaw-in-Dynamic-Anti-Spoofing-R80-20-...

Summary: Check Points implementation of "Antispoofing defined by routes" does not follow the RfC or the normal routing logic (most specific route is taken). It will not block anything needed, but allows more than needed.

0 Kudos