CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 8 of 8

Thread: Anti-Spoofing in same network segment

  1. #1
    Join Date
    2017-04-08
    Posts
    1
    Rep Power
    0

    Default Anti-Spoofing in same network segment

    Hi All,

    Please help me to understand anti-spoofing in same network segment. for example :- I have 2 hosts ( Host 1:- 10.0.0.1/24 & Host 2:- 10.0.0.2/24). These both hosts reside at internal side of firewall. Firewall internal port IP:- 10.0.0.254/24. Now if Host 2 spoofed Host 1 IP address and send traffic towards outside. How anti-spoofing will work in this case. How firewall will detect this is spoofed IP-address.

    Thanks

  2. #2
    Join Date
    2014-09-02
    Posts
    261
    Rep Power
    10

    Default Re: Anti-Spoofing in same network segment

    Very common question and often misunderstood. It's one of Check Point's least intuitive settings.

    Basically, Anti-Spoofing setting on an interface determines what source IP addresses are valid to enter through that interface. If a packet comes in through eth0 that's not in eth0's "topology", anti-spoofing will drop it (if active).

    A simple guideline is often routing. In most cases, you'll also have to have static routes defined for any internal networks/hosts that aren't connected to the same subnet as the interface. In other words, look at your routing entries, and make sure any static routing is accounted for in topology.

    In your example, anti-spoofing will do nothing. If the two hosts are on the same network, and that network is included in the anti-spoofing definition, it'll be considered valid. Usually, spoofing is used to reach a network that you're not actually on.

    -E

  3. #3
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    560
    Rep Power
    4

    Default Re: Anti-Spoofing in same network segment

    Quote Originally Posted by EricAnderson View Post
    Very common question and often misunderstood. It's one of Check Point's least intuitive settings.

    Basically, Anti-Spoofing setting on an interface determines what source IP addresses are valid to enter through that interface. If a packet comes in through eth0 that's not in eth0's "topology", anti-spoofing will drop it (if active).

    A simple guideline is often routing. In most cases, you'll also have to have static routes defined for any internal networks/hosts that aren't connected to the same subnet as the interface. In other words, look at your routing entries, and make sure any static routing is accounted for in topology.

    In your example, anti-spoofing will do nothing. If the two hosts are on the same network, and that network is included in the anti-spoofing definition, it'll be considered valid. Usually, spoofing is used to reach a network that you're not actually on.

    -E
    Do you know why CP doesn't migrate AS settings from old way into using routing table?

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    865
    Rep Power
    12

    Default Re: Anti-Spoofing in same network segment

    Quote Originally Posted by laf_c View Post
    Do you know why CP doesn't migrate AS settings from old way into using routing table?
    Automated AS is already there for VSX.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,251
    Rep Power
    14

    Default Re: Anti-Spoofing in same network segment

    To be clear, when you do a "get topology" on a regular gateway, the settings are populated from the routing table.
    What you're probably looking for is a way to dynamically update the setting as the routing changes.
    Right now, that's not a supported feature, though it may be something supported in the future.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,208
    Rep Power
    7

    Default Re: Anti-Spoofing in same network segment

    Quote Originally Posted by PhoneBoy View Post
    To be clear, when you do a "get topology" on a regular gateway, the settings are populated from the routing table.
    What you're probably looking for is a way to dynamically update the setting as the routing changes.
    Right now, that's not a supported feature, though it may be something supported in the future.
    *cough cough cough* small office appliance *cough cough cough* topology *cough cough cough* automatically calculated by the gateway, based on the gateways' Routing Table *cough cough cough*

    man i am not feeling well.

  7. #7
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,251
    Rep Power
    14

    Default Re: Anti-Spoofing in same network segment

    You should do something about that cough. :P
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  8. #8
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    560
    Rep Power
    4

    Default Re: Anti-Spoofing in same network segment

    Quote Originally Posted by jflemingeds View Post
    *cough cough cough* small office appliance *cough cough cough* topology *cough cough cough* automatically calculated by the gateway, based on the gateways' Routing Table *cough cough cough*

    man i am not feeling well.
    Good one!

Similar Threads

  1. Replies: 4
    Last Post: 2015-01-08, 11:08
  2. Anti-spoofing R62
    By dub_boy2k in forum SmartDashboard
    Replies: 4
    Last Post: 2009-11-27, 12:44
  3. Anti-spoofing vs Local interface address spoofing
    By braintek in forum Topology Issues
    Replies: 1
    Last Post: 2007-03-23, 15:58
  4. edge - firewalling off a network segment
    By kerbros in forum Check Point UTM-1 Edge Appliances
    Replies: 2
    Last Post: 2006-09-10, 23:45
  5. Anti-Spoofing
    By mdelanoche in forum Topology Issues
    Replies: 1
    Last Post: 2005-09-13, 21:00

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •