Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Neo_Alderson
Explorer

Local interface address spoofing with Https service

Hi all.

I have a problem with my checkpoint FW which's begun about 1 months ago.

The fw has blocked https traffic with some informations, like below:

Message Information              Local interface address spoofing

Description                               https Traffic Dropped from 192.168.x.x to 10.x.x.x

Note that 192.168.x.x is virtual inbound fw IP and 10.x.x.x is a internal server IP

It happenned the first in June 13 until now.

I use Checkpoint smart console R81.

Please help me or explain why and please let me know how to resovle that.

Thanks a lot.

 

0 Kudos
2 Replies
Tobias_Moritz
Advisor

That's an anti-spoofing error, which means that the firewall is seeing traffic incoming on an interface, where IP packets with such a source address are not expected.

You have to check the anti-spoofing settings of all interfaces of that firewall (in Smart Console -> Gateway Settings -> Network Management -> Edit interfaces -> Topology).

Please take in mind, that having an interface with anti-spoofing set to "Internet (External)" does not mean it will accept all IP sources. Instead it means it will accept all IP sources which are not covered by the specific anti-spoofing settings of all other interfaces.

Maybe you use groups on some internal interfaces for anti-spoofing and someone added a network to that group, not knowing it will affect anti-spoofing?

Maybe you use anti-spoofing defined by routes and (dynamic) routing has changed?

0 Kudos
Sam2
Contributor

Building on this, if you can see accept logs from previous days that it was working, you will be able to see the interface the traffic was accepted on vs the interface it is now being dropped on which will hopefully give some indication

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events