PDA

View Full Version : How to install policy with comms from mgmt server blocked by antispoofing



JPYDX
2018-03-08, 12:38
Hi all,
As subject says, anyway to get a policy to a gateway that has comms to and from management server blocked by anti spoofing?

fw fetch no luck either.

My only other solution is fw unloadlocal.

Regards

ShadowPeak.com
2018-03-08, 14:15
Obviously you didn't see my CPX presentation. ;)

fw ctl set int fw_antispoofing_enabled 0
sim feature anti_spoofing off ; fwaccel off ; fwaccel on

PhoneBoy
2018-03-09, 02:44
You can see Tim's excellent presentation at CPX (as well as a bunch of other ones) here: https://community.checkpoint.com/docs/DOC-2734-cpx360-slides-2018
You can also see a video of me poorly presenting said presentation :)

JPYDX
2018-03-09, 06:51
All,

I did see your presentation! I was there, and I have used the command several times but they are not working in this instance. Traffic still dropped by local interface address spoofing.

Would this work for local interface spoofing?

Also struggling to figure out why on earth it is getting dropped. All static routes seems fine.

jflemingeds
2018-03-09, 07:02
All,

I did see your presentation! I was there, and I have used the command several times but they are not working in this instance. Traffic still dropped by local interface address spoofing.

Would this work for local interface spoofing?

Also struggling to figure out why on earth it is getting dropped. All static routes seems fine.

That is a completely different beast. Interface spoofing can not be addressed with address spoofing.

Do you by chance have more then one cluster on the same vlan? What about checking for ip conflicts? Could also be a route loop Combined with hide nat to cluster vip.

ShadowPeak.com
2018-03-09, 09:02
All,

I did see your presentation! I was there, and I have used the command several times but they are not working in this instance. Traffic still dropped by local interface address spoofing.

Would this work for local interface spoofing?

Also struggling to figure out why on earth it is getting dropped. All static routes seems fine.

fw ctl set int fw_local_interface_anti_spoofing 0

I don't think you need to turn this off in SecureXL as well. Frankly you have something else seriously wrong if you need to disable this, and I doubt everything will start working when you do.

PhoneBoy
2018-03-09, 13:55
fw ctl set int fw_local_interface_anti_spoofing 0

The only place I've seen where this is needed is when you're listening off a SPAN port and the gateway sees it's own traffic from the management port on it.
Part of that old "can't see the same packet twice" rule :)

jflemingeds
2018-03-10, 17:19
Or a bridge firewall with a dedicated mgmt interface that needs internet access, which would then route through the internal interface of the bridge, but there is some newer way to handle that. Some magic packet remembering thingie. Its in the advanced .. uh.. tech admin guide? Whatever that is called.