 Re: Spoofing?
By default "anti-spoofing" tends to be configured as the subnet behind the interface. If you have several subnets there, you should create all of them as network objects, then create a group and add them all in, and finally add that in the interface anti-spoofing (using "specific").
This way the firewall "knows" that all those subnets are connected there and stops blocking the traffic.
To add to what melipla already said, another very important reason why you WILL want anti-spoofing configured is so that I can't sent a packet with the source IP as one of your own internal networks and get it to be accepted by the policy because of your rules. Even if the replies would be routed in, this would allow blind attacks, DoS, etc... |