Antispoofing in R60 HA cluster

[jchrisos]

I have 3 firewalls in total. One is a standalone enforcement point, and the remaining two are part of a VRRP cluster. Our internal network connects the standalone and the cluster.

On the standalone, there are 3 interfaces. The internal, external and a DMZ interface. The same goes for the cluster (except for the 4th Interface for VRRP). As I said, the internal interfaces on the routers attach to a common internal network. I am having problems flowing traffic from the DMZ on the standalone to the DMZ in the cluster. The cluster box is telling me "message_info: Address spoofing".

I can see how I tell the standalone which networks are "internal" and thus to not complain about spoofing. However, I cannot figure this out for the cluster. I did read a post (Antispoofing question) about detaching each enforcement point from the cluster, changing the spoofing settings, and then rejoin the cluster.

Is there an easier way? How can I tell my cluster that it can expect to see a certain network on a certain interface?

This is R60 on an IPSO 355:
one cluster member: Ipsrd version ipsrd-IPSO-4.1-BUILD016-05.19.2006-23:06:58
standalone: Ipsrd version ipsrd-IPSO-3.9-BUILD045-11.28.2005-15:11:02

[northlandboy]

Edit the topology tab of the cluster object. On that page you can set the anti-spoofing options for the cluster addresses.

[jchrisos]

Quote:

Originally Posted by northlandboy

Edit the topology tab of the cluster object. On that page you can set the anti-spoofing options for the cluster addresses.

Yeah, I saw that but didn't want to mess with it until someone confirmed my suspicions. You are referring to the settings that is organized like a spreadsheet where there are columns named "Network Objective", name of the cluster, first cluster member, second cluster member and "Topology"?

If so, I where do I enter the subnet that I want spoofing to allow? Do I enter this under each firewall and set the "Network Objective" to Private? Do I enter the network under the cluster's column, or do I enter it in all three columns?

Thanks so much for your help!

Jim

[northlandboy]

If it's a cluster interface, then set it as a cluster interface, and then you only need to define the antispoofing settings under the cluster column. You still need to put the address/mask under each firewall's column, but topology is only in one place.

Once you've used it, you will begin to understand that this is far, far simpler than the old style methods of doing it, and it greatly reduces the potential for misconfiguration. It even alerts you if you have inconsistencies.

You might choose to mark some interfaces private, not define a cluster IP, and enter the topology information under each member if you're doing something like using a management interface that doesn't run VRRP/ClusterXL

[jchrisos]

Quote:

Originally Posted by northlandboy

If it's a cluster interface, then set it as a cluster interface, and then you only need to define the antispoofing settings under the cluster column. You still need to put the address/mask under each firewall's column, but topology is only in one place.

Once you've used it, you will begin to understand that this is far, far simpler than the old style methods of doing it, and it greatly reduces the potential for misconfiguration. It even alerts you if you have inconsistencies.

You might choose to mark some interfaces private, not define a cluster IP, and enter the topology information under each member if you're doing something like using a management interface that doesn't run VRRP/ClusterXL

Thanks so much for the help!! I did find where I edit the antispoofing. There were tabs available on the cluster's interface that were not available on the cluster members interfaces.

Jim