CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 5 of 5

Thread: Antispoofing problem

  1. #1
    Join Date
    2016-02-05
    Posts
    7
    Rep Power
    0

    Default Antispoofing problem

    I have a VSX cluster HA mode with virtual switch and 3 instances: A,B,C.

    Topology of instance A is :

    Netw1_A------|
    |-- Virtual FW A ----- Warplink_A
    Netw2_A------|

    Netw1_A : 10.10.10.0/24

    Netw2_A : 10.10.20.0/24


    Same for all instances. I moved Netw1_A to a new instance D and I have configured policy , routing and antispoofing.

    Now, if I ping from Netw2_A to Netw1_D ( my old Netw1 on instance A) on smarttrack I see a this:

    from 10.10.10.11 to 10.10.20.151 Allow - interface Eth2 - origin virtual FWA
    from 10.10.10.11 to 10.10.20.151 Allow - interface warplink_D - origin virtual FWD
    from 10.10.10.11 to 10.10.20.151 Deny - interface warplink_A - origin virtual FWA

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    938
    Rep Power
    12

    Default Re: Antispoofing problem

    VSX is using automatic calculation of anti-spoofing by default. Did you change that by any chance?

    If handled automatically, no issue should arise in the first place.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2016-02-05
    Posts
    7
    Rep Power
    0

    Default Re: Antispoofing problem

    Quote Originally Posted by varera View Post
    VSX is using automatic calculation of anti-spoofing by default. Did you change that by any chance?

    If handled automatically, no issue should arise in the first place.
    Any change. I think there is a problem with my instance A. I did some test.

    From instance B , ping to network1_D is ok. I see source ip address of instance B 192.168.3.5.
    From instance A , ping to network1_D i see 3 log:
    I see source ip address 192.168.196.120 natted with ip address of instance A 192.168.3.4 natted with rule 0... Allow
    I see source ip address of instance A 192.168.3.4 Allow
    I see source ip address 192.168.196.120 natted with ip address of instance A 192.168.3.4 natted with rule 0... Deny from interface warplink_A by antispoofing

  4. #4
    Join Date
    2016-02-05
    Posts
    7
    Rep Power
    0

    Default Re: Antispoofing problem

    I think that I have a problem with the automatic topology calculation.

    I did another test:

    from 10.10.20.151 to 10.10.10.11 Deny - interface warplink_A - origin virtual FWA

    from 10.10.10.11 to 10.10.20.151 Deny - interface warplink_A - origin virtual FWA

    Warp link in topology is external and eth1 of FWD and eth2 of FWA are internal.
    Now I created a group with net1 and net2 and I checked "dont' check packet from" and now work...

    It seems that antispoofing think internal networks are external and viceversa.

  5. #5
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    938
    Rep Power
    12

    Default Re: Antispoofing problem

    I am sorry, but this does not make any sense. You can only create exclusions IF automatic anti-spoofing is disabled.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Can't configure AntiSpoofing on VSX
    By brahim94 in forum VPN-1 VSX
    Replies: 4
    Last Post: 2011-07-27, 23:21
  2. AntiSpoofing
    By Mykhaylo.Dobrovolskyy in forum Topology Issues
    Replies: 3
    Last Post: 2010-01-13, 16:07
  3. Antispoofing problem on a secondary site
    By jvalenzuela in forum Topology Issues
    Replies: 6
    Last Post: 2009-05-03, 07:52
  4. Antispoofing
    By vadi_ag in forum Topology Issues
    Replies: 6
    Last Post: 2007-09-18, 11:35
  5. NGX R61 Nokia Cluster / Antispoofing problem
    By tobes in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2007-06-15, 15:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •