CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 5 of 5

Thread: Antispoofing problem

  1. #1
    Join Date
    2016-02-05
    Posts
    7
    Rep Power
    0

    Default Antispoofing problem

    I have a VSX cluster HA mode with virtual switch and 3 instances: A,B,C.

    Topology of instance A is :

    Netw1_A------|
    |-- Virtual FW A ----- Warplink_A
    Netw2_A------|

    Netw1_A : 10.10.10.0/24

    Netw2_A : 10.10.20.0/24


    Same for all instances. I moved Netw1_A to a new instance D and I have configured policy , routing and antispoofing.

    Now, if I ping from Netw2_A to Netw1_D ( my old Netw1 on instance A) on smarttrack I see a this:

    from 10.10.10.11 to 10.10.20.151 Allow - interface Eth2 - origin virtual FWA
    from 10.10.10.11 to 10.10.20.151 Allow - interface warplink_D - origin virtual FWD
    from 10.10.10.11 to 10.10.20.151 Deny - interface warplink_A - origin virtual FWA

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,016
    Rep Power
    13

    Default Re: Antispoofing problem

    VSX is using automatic calculation of anti-spoofing by default. Did you change that by any chance?

    If handled automatically, no issue should arise in the first place.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2016-02-05
    Posts
    7
    Rep Power
    0

    Default Re: Antispoofing problem

    Quote Originally Posted by varera View Post
    VSX is using automatic calculation of anti-spoofing by default. Did you change that by any chance?

    If handled automatically, no issue should arise in the first place.
    Any change. I think there is a problem with my instance A. I did some test.

    From instance B , ping to network1_D is ok. I see source ip address of instance B 192.168.3.5.
    From instance A , ping to network1_D i see 3 log:
    I see source ip address 192.168.196.120 natted with ip address of instance A 192.168.3.4 natted with rule 0... Allow
    I see source ip address of instance A 192.168.3.4 Allow
    I see source ip address 192.168.196.120 natted with ip address of instance A 192.168.3.4 natted with rule 0... Deny from interface warplink_A by antispoofing

  4. #4
    Join Date
    2016-02-05
    Posts
    7
    Rep Power
    0

    Default Re: Antispoofing problem

    I think that I have a problem with the automatic topology calculation.

    I did another test:

    from 10.10.20.151 to 10.10.10.11 Deny - interface warplink_A - origin virtual FWA

    from 10.10.10.11 to 10.10.20.151 Deny - interface warplink_A - origin virtual FWA

    Warp link in topology is external and eth1 of FWD and eth2 of FWA are internal.
    Now I created a group with net1 and net2 and I checked "dont' check packet from" and now work...

    It seems that antispoofing think internal networks are external and viceversa.

  5. #5
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,016
    Rep Power
    13

    Default Re: Antispoofing problem

    I am sorry, but this does not make any sense. You can only create exclusions IF automatic anti-spoofing is disabled.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Can't configure AntiSpoofing on VSX
    By brahim94 in forum VPN-1 VSX
    Replies: 4
    Last Post: 2011-07-27, 23:21
  2. AntiSpoofing
    By Mykhaylo.Dobrovolskyy in forum Topology Issues
    Replies: 3
    Last Post: 2010-01-13, 16:07
  3. Antispoofing problem on a secondary site
    By jvalenzuela in forum Topology Issues
    Replies: 6
    Last Post: 2009-05-03, 07:52
  4. Antispoofing
    By vadi_ag in forum Topology Issues
    Replies: 6
    Last Post: 2007-09-18, 11:35
  5. NGX R61 Nokia Cluster / Antispoofing problem
    By tobes in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2007-06-15, 15:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •