PDA

View Full Version : Antispoofing adding static route



gajendra229
2018-08-20, 09:25
When I add a static route on firewall or enabling antispoofing

ip route 192.140.12.2/29(external interface) nexthop gateway 10.232.2.2(internal interface let say eth10)

192.x.x.x is owned by our network...
Interface when see through show route destination command...

When I add 192..x.x.x on Antispoofing group what exactly it means ??


Is it any traffic comes from 192.x.x.x going to internet
and any traffic comes from internet to 192.x.x.x on firewall should come on eth10 else it will be discarded.
and is it also mean any traffic from internal network going to 192.x.x.x should come on eth10

mdjmcnally
2018-08-20, 13:18
Anti-Spoofing is based on the Source IP of traffic

So if you add 10.10.10.0/24 to eth10 then it inspects the Source IP of traffic arriving on eth10 and compares with what is in the Anti-Spoofing.
If matches against what is set on eth10 then passes the initial inspection and then passes onto the Firewall for matching against the Rulebase

On the interface marked as External then it basically accepts as Source any address that not specified on an interface.

In terms of the routing table then the Interface shown is the Interface that the traffic would leave on to get to that Destination.

EricAnderson
2018-08-20, 16:09
If only I had a nickle for every hour I've spent explaining/teaching anti-spoofing...it's quite capable and simple (once understood), but far from intuitive.

mdjmcnally (https://www.cpug.org/forums/member.php/2674-mdjmcnally) is correct, but I'll take a slightly different direction:

- Anti-spoofing basically doesn't care about the destination. If enabled on an interface, it simply compares the source address of inbound traffic (traffic just entering the firewall) against the topology definition of that interface. If the source isn't included in the selected anti-spoofing option, then it's considered "spoofed" and either prevented or detected (based on setting).
- The default "defined by the interface IP and Net Mask" is fine if there's only that network connected to the interface.
- It gets to be more fun when there are multiple networks connecting through that interface via router/switch/WAN/etc. In this case, all networks need to be added to a group and configured as "specific".
- This should usually mirror the routing configuration, in that any additional networks will likely also need static routes defined to get outbound traffic where it needs to go (the switch/router/etc.).
- If you're a "bleeding-edge" type of person, you may have seen a new anti-spoofing option in R80.20.M1: "network defined by routes". I've been waiting for this for years! While I haven't tested this yet on GA, my suspicion is that it will only work on R80.20 gateways - once available. Still, this will hopefully make things easier in the future.

-E

Bob_Zimmerman
2018-08-20, 16:59
If only I had a nickle for every hour I've spent explaining/teaching anti-spoofing...it's quite capable and simple (once understood), but far from intuitive.
I wish I had one for every time I got a TAC call for antispoofing drops and the caller swore up and down that his routing was handed to him on stone tablets by angels and could never be wrong. Then after four hours of troubleshooting, guess what. His routing was wrong.


- This should usually mirror the routing configuration, in that any additional networks will likely also need static routes defined to get outbound traffic where it needs to go (the switch/router/etc.).
I would go further. There are almost no situations where your antispoofing configuration should not match your routing configuration. If you find one, something is almost always seriously wrong with that environment.


- If you're a "bleeding-edge" type of person, you may have seen a new anti-spoofing option in R80.20.M1: "network defined by routes". I've been waiting for this for years! While I haven't tested this yet on GA, my suspicion is that it will only work on R80.20 gateways - once available. Still, this will hopefully make things easier in the future.
This sounds like URPF. I wonder if it is aware of dynamic routing. If so, that would be wonderful and would save me so much time. I will need to test this in the very near future.

ShadowPeak.com
2018-08-20, 17:50
I would go further. There are almost no situations where your antispoofing configuration should not match your routing configuration. If you find one, something is almost always seriously wrong with that environment.


That's why in R80.20 there is a new antispoofing option on the interface topology screen: "Follow routing configuration" or something like that. Now any time a route is added/updated antispoofing will automatically match.

Bob_Zimmerman
2018-08-20, 18:28
That's why in R80.20 there is a new antispoofing option on the interface topology screen: "Follow routing configuration" or something like that. Now any time a route is added/updated antispoofing will automatically match.

Yes, which Eric and I were just discussing later in that same message. 😉

gajendra229
2018-08-21, 10:36
To add on my question

I am going to add a vlan 10 to interface eth3.333 with 10.10.10.133/29
VRRP 10.10.10.132

to make it work why I need to add 10.10.10.129/29 to Antispoofing Group that I created on interface eth3.333
fw01/02 fw01 fw02
10.10.10.132 10.10.10.133 10.10.10.134

mdjmcnally
2018-08-22, 11:26
Because you need to tell the Check Point Software that is where traffic FROM that that Subnet will ARRRIVE at that interface.

If you take a simple firewall

eth1 - 40.40.40.40/24
eth2 - 10.10.10.10/24
eth3 - 172.16.0.10/24

You then add a route 10.10.20.0/24 via 10.10.10.20 so that the Box knows how to get to the Subnet.

You would have your Address Spoofing Configured as

eth1 - 40.40.40.40/24 - External
eth2 - 10.10.10.10/24 - Internal ( Specific - Group containing 10.10.10.0/24 and 10.10.20.0/24 )
eth3 - 172.16.0.10/24 - Internal - Defined by Interface IP and Subnet Mask


This would then allow

traffic from 10.10.10.0/24 or 10.10.20.0/24 to ARRIVE INBOUND at eth2
If any other IP address outside of those ARRIVES INBOUND at eth2 then will drop that traffic due to Address Spoofing
IF you leave the 10.10.20.0/24 out of the Address Spoofing then any REPLY Traffic would get dropped as would not recognise that Traffic with a Source IP in that network should arrive on that interface.

traffic from 172.16.0.0/24 to ARRIVE INBOUND at eth3
If any other IP address outside of that subnet ARRIVES INBOUND at eth3 then will drop that traffic due to Address Spoofing

By being marked as External then on eth1 then will accept Traffic with a Source IP that is not configured for eth2 or eth3 to ARRIVE INBOUND at eth1.

This is as simple as can explain it, don't know if anyone else can

PhoneBoy
2018-08-29, 02:02
- Anti-spoofing basically doesn't care about the destination. If enabled on an interface, it simply compares the source address of inbound traffic (traffic just entering the firewall) against the topology definition of that interface. If the source isn't included in the selected anti-spoofing option, then it's considered "spoofed" and either prevented or detected (based on setting).

This is not true as anti-spoofing checks also occur after the traffic is routed.
In fact, I had an FAQ about this exact issue back in the day.
There's probably a copy of it somewhere on this site, but I decided to resurrect the link here: https://phoneboy.com/fw1/faq/0143.html