Spoofing problem NGX R60 HFA_02

[Thomas Riker]

Hi all

I have 2 Nokia IP 380 with 8 interface (7 active including the Sync) I use VRRP and I have installed checkpoint NGX R60 HFA_02.

From the firewall I cant reach one network (We call this network 193.45.x.x) located in the LAN (eth1c0) interface, I have added in the static route in the firewall the network I need to reach with the default gateway appropriate but everytime I try to reach from the firewall this network the packet is dropped by spoofing.

I have see and the network is not present in other group and is inserted in the appropriate spoofing group in the lan interface.

If I delete the static route from the voyager the firewall route the packet directed to the network in the internet interface (and this is the correct funcion "all ip traffico not in the static route is automatically routed to internet"), but the 193.45.x.x network in the Lan interface and not in the internet interface.

Please I need help :)

Kind regards
Giuseppe

[melipla]

Hi,

With your VRRP cluster object, do you have this option:
<object> -> Properties -> Topology -> Enable extended cluster anti-spoofing?

Which interface is reporting the antispoofing message? Even though you have it defined on the correct interface, for some complicated routing scenarios you may still see anti-spoofing messages for that network on other interfaces. If that happens with a secondary external interface, you may need to add a second group of IPs you don't check AntiSpoofing on.

Lastly, I believe there are some NAT settings that affect which IP anti-spoofing sees. If you are using NAT on this network this may be a cause. Check out Policy -> Global Properties -> NAT -> "Translate destination on client side". I haven't verified if this is related however.

Also R60 HFA 05 has some anti-spoofing updates, however I do not know if that applies to your environment.

HTH