- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: GW 1400 - anti-spoofing issue, all traffic blo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GW 1400 - anti-spoofing issue, all traffic blocked.
Hello. There is a 1400 gateway with anti spoofing issues.
I added a new subnet, associated it to a couple of interfaces, and it worked, for a couple of days. Then, traffic to that new subnet began to be dropped because of an anti-spoofing alert. There is the global property which could be disabled, but I found no other tool to troubleshoot or solve it. There are 2 other LANs on the same gw, and no problem with them.
Thank you very much.
Best regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic is being dropped FROM a source incorrectly identified on the interface.
So if you are seeing drops TO your new subnet properly identified on the interfaces it is actually belongs to, look if the source network of the traffic is also associated to the interfaces it is connected to.
It is also possible that your source host may have multiple IPs, and the origin does not belong to a network associated with the interface of the 1400.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what the layout looks like.
Apparently, New LAN and Subnetwork 4 are set up in the same way.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For me your description looks a bit strange, as for Vladimir.
And I belive that you could share screenshot from your logs, drawing, and antispoofing settings with real IPs because they are internal ones. Or at least change them to something like 10.10.10.X, 20.20.20.X.
I added a new subnet, associated it to a couple of interfaces, and it worked, for a couple of days. Then, traffic to that new subnet began to be dropped because of an anti-spoofing alert.
Antispoofing should be configured in such way:
interface A - subnet1 + subnet2
interface B - subnet4
interface C - NewLan
It would mean that from this interface only traffic from these networks is expected, other traffic will be dropped. So, antispoofing check source IP only on this interface. If you have some asynchronous routing or servers with several interfaces in different networks, this could lead of course to blocking by antispoofing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your Subnetwork1 is NATed behind RT interface connected to CheckPoint 1400 on its way to the Subnetwork4, this may explain why it is working between 1 and 4 and does not between 1 and New LAN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A more detailed topology and settings.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only thing that comes to mind is to try changing your routing table:
to point 10.16.0.0/24 to the LAN1 as its next hop.
It looks to me that you are obfuscating the real IPs in your post, so I cannot vouch for not missing something vital.
There is an option to disable antispoofing on gaia embedded globally, but not on any particular interface or to ignore a particular network.