CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have 72 attendees signed up from 20 countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Topology Issues
Reload this Page Antispoofing
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-09-12
vadi_ag vadi_ag is offline
Junior Member
  
Join Date: 2006-04-07
Posts: 27
Rep Power: 0
vadi_ag has an average reputation (10+)
Default Antispoofing
Hi All ,
In our environment i can see a group defined for antispoofing and i keep on adding hosts and subntes to this group so that packets from these shud not get dropped however the issue is when i open topology and check i dont find any antispoofing defined under interfaces we are using provider-1 R60 i have a doubt of access level is this possible to setup access like this so that only preveliged users can see/view the details under topology section.
i have come accross many situations where in if i forget to add any host/subnet in antispoofing group then these will get dropped

pls help me in understanding how this is setup i have tired to check in help topics but i cud not find one

regards
vadi
__________________
Regards
Vadiraj
Reply With Quote
  #2 (permalink)  
Old 2007-09-13
mcnallym mcnallym is offline
Senior Member
  
Join Date: 2007-06-04
Posts: 993
Rep Power: 2
mcnallym has an average reputation (10+)
Default Re: Antispoofing
There is no permissions profile that would allow you to read the objects database but not see the topology for the gateway. You wouldn't even be able to view the gateway to see that the anti-spoofing is not configured.

If you can access the objects and make changes you should be able to see the topology that is configured upon the check point gateway, as you would need read write access to the objects database to do this, and this would allow you to make changes to the interface information.

I believe from your description that there is a group called anti-spoofing but that the group is not actually defined on the gateway as being used with the interface

I would guess that anti-spoofing has been turned off on your check point gateway.

If you have network routing correctly configured correctly on your gateway then you should be able to do a Get Interfaces with Topology within the gateway object and that will correctly read the routing table to implement anti-spoofing based on your routing table.
Reply With Quote
  #3 (permalink)  
Old 2007-09-13
vadi_ag vadi_ag is offline
Junior Member
  
Join Date: 2006-04-07
Posts: 27
Rep Power: 0
vadi_ag has an average reputation (10+)
Default Re: Antispoofing
thnx a lot for ur reply
however we have TAACAS enabled for authentication with RSA tokens is there any possibilities for setting up this type of permissions on TACACS ?

If antispoofing is turned off on the gateway then why the packets are getting dropped if i dont add those in antispoofing group ?

Regards
Vadi
__________________
Regards
Vadiraj
Reply With Quote
  #4 (permalink)  
Old 2007-09-14
mcnallym mcnallym is offline
Senior Member
  
Join Date: 2007-06-04
Posts: 993
Rep Power: 2
mcnallym has an average reputation (10+)
Default Re: Antispoofing
It could be then that anti-spoofing is enabled but just that the group is not associated with any of the interfaces. I reckon your best bet is to do a get interfaces with topology and then look at the groups associated with the interfaces on the gateway.
Reply With Quote
  #5 (permalink)  
Old 2007-09-14
MarioL MarioL is offline
Senior Member
  
Join Date: 2007-01-18
Location: London
Posts: 375
Rep Power: 2
MarioL has an average reputation (10+)
Default Re: Antispoofing
Also check what rule they are being dropped by, Anti-spoofing is listed as rule 0.

Anyway, you REALLY should have the anti-spoofing configured. Just do as mcnallym says, get topology and then configure the interfaces, etc.

Remember you must push the policy for the changes to apply.
Reply With Quote
  #6 (permalink)  
Old 2007-09-17
light light is offline
Junior Member
  
Join Date: 2007-09-17
Location: New Delhi
Posts: 5
Rep Power: 0
light has an average reputation (10+)
Send a message via Yahoo to light
Default Re: Antispoofing
hi,

You have to enable antispoofing on the interface and thats typically applied on the standalone art.

thanks and regards
__________________
Prakash Jaiswal
Reply With Quote
  #7 (permalink)  
Old 2007-09-18
vadi_ag vadi_ag is offline
Junior Member
  
Join Date: 2006-04-07
Posts: 27
Rep Power: 0
vadi_ag has an average reputation (10+)
Default Re: Antispoofing
Hi All ,
thnx a lot for ur responses i got the details of antispoofing thnx again

I was not checking under the details under cluster members

so now i got it
__________________
Regards
Vadiraj
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 06:51.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0