CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E


Results 1 to 2 of 2

Thread: incoming through 'MGMT' and outgoing through 'DATA' under anti-spoofing 'detect' mode

  1. #1
    Join Date
    Rep Power

    Default incoming through 'MGMT' and outgoing through 'DATA' under anti-spoofing 'detect' mode

    Hi All.

    I'm having a concen for anti-spoofing configuration on firewall.

    we have router to manage over the firewall. also, the Jump server need to access both router and firewall as well.

    on firewall, there are having two interface. the one is for data, the other one is for MGMT interface. and anti-spoofing is configured as action set to 'prevent' to both interface.

    from Jump server, Jump server will head to firewall mgmt interface IP address, and will head to router loopback interface to manage per each through MGMT interface.

    we have a challenge to consolidation these two interface to one interface. I will follow following steps

    1. copy mgmt interface anti-spoofing object to data interface. and keep anti-spoofing object in mgmt interface with keep anti-spoofing configuration as 'detect', not drop any traffics
    2. change back to jump server routing from mgmt interface to data interface.

    If so, I think there is no issue to access router from Jump server over the firewall through new managmeent interface. However, if Jump server is needed to reach fireall mgmt interface, then, the traffic would be going in 'MGMT' and will be out through 'DATA' interface.

    is this situation, is there no issue to access from jump server to firewall mgmt interface? the key point of my concerns is going in 'MGMT', and outgoing to 'DATA' under MGMT interface anti-spoofing action as 'detect' mode.

  2. #2
    Join Date
    United States, Southeast
    Rep Power

    Default Re: incoming through 'MGMT' and outgoing through 'DATA' under anti-spoofing 'detect'

    I don't entirely understand your explanation. I did understand that you're trying to eliminate one of these two interfaces; Mgmt or DATA.

    The primary principle of Anti-spoofing is, Anti-Spoofing configuration should mirror your routing table specific to that interface.
    Anti-spoofing only examines the Source IP of inbound packets.

    Since you're trying to rid yourself of one of these two interfaces, I'd suggest that you look at the routes that exit these two interfaces, and combine them into a single Group. Then attach that group to both interface's Anti-spoofing. Simple as that.

    1. List networks that route out of Mgmt and/or Data. Include directly connected subnet(s).
    2. Create Network objects for the above networks.
    3. Put the above network objects into a group; we'll call it SPF-firewallname-Mgmt
    4. In the anti-spoofing of Mgmt; use the Specific group of SPF-firewallname-Mgmt
    5. In the anti-spoofing of DATA; use the Specific group of SPF-firewallname-Mgmt

Similar Threads

  1. Incoming, outgoing, internal traffic
    By Knuto in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 5
    Last Post: 2010-04-08, 07:02
  2. Anti-spoofing vs Local interface address spoofing
    By braintek in forum Topology Issues
    Replies: 1
    Last Post: 2007-03-23, 15:58
  3. Anti-Spoofing Office Mode
    By rgm34 in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2006-12-29, 07:43
  4. anti-spoofing
    By aallsopp in forum Check Point UTM-1 Edge Appliances
    Replies: 1
    Last Post: 2006-03-23, 12:02
  5. Anti-Spoofing
    By mdelanoche in forum Topology Issues
    Replies: 1
    Last Post: 2005-09-13, 21:00


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts