CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 5 of 5

Thread: Traffic destined for Private IP Address that does not exist - AntiSpoofing

  1. #1
    Join Date
    2015-06-23
    Posts
    11
    Rep Power
    0

    Default Traffic destined for Private IP Address that does not exist - AntiSpoofing

    I have been reviewing firewall logs and notice quite a bit of Anti Spoofing traffic. We run OSPF on our enterprise but Static Routing on the Firewall. On our core internal routers we have a gateway of last resort (default route) that sends everything to the firewall. On the other side of our Firewalls we have our core Internet Routers that connect to our Service Providers.

    It looks like when traffic that is destined for an IP Address that does not exist on our network the traffic hits the firewall and gets NAT'd behind our hide behind NAT policy like its going to the Internet.

    The logs show this traffic hitting the appropriate allow rule and it goes out the Internal Interface which would be correct. Then there is a log message that shows this traffic being dropped because of Anti-Spoofing with our Hide Behind NAT (External IP) going out the same Internal Interface.

    I understand that Anti-Spoofing is working like it should in this instance because the same Internal Interface sees this traffic with an External Internet Address (our hide behind NAT) trying to go outbound. I feel we must not have something setup quite correct. I am not sure if we are missing something that would prevent this traffic that is destined for a Private IP that does not exist on our network from even getting NAT'd behind our hide behind policy rule or if we need to adjust our Topology for Anti-Spoofing.

    An example of this would be a Monitor Server that manages devices with SNMP/161 and a managed device is removed from the network but the Monitor Server is still trying to reach this device over SNMP/161. This traffic makes it to the firewall, gets NAT'd behind our hide NAT, and then dropped due to Anti-Spoofing.

    We are running GAIA R80.10 on 15600 appliances.

    Topology
    eth2-01 Internal
    Leads To Override - This Network (Internal) with a Specific group that is defined with 3 super networks (the 3 RFC1918 networks).
    Anti-Spoofing is set to Perform on interface and Prevent with Log.

    Thanks in advance!

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,350
    Rep Power
    15

    Default Re: Traffic destined for Private IP Address that does not exist - AntiSpoofing

    There should be a rule above your Internet HIDE NAT rule that says something like: internal-nets internal-nets any orig orig orig
    This tells the gateway NOT to NAT the traffic, which I think is the behavior you're expecting.
    It will certainly stop the anti-spoofing triggers.
    The more secure approach would be to just drop the traffic at the firewall.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2015-06-23
    Posts
    11
    Rep Power
    0

    Default Re: Traffic destined for Private IP Address that does not exist - AntiSpoofing

    Thanks for the reply and the NAT suggestion definitely makes sense. I agree that since this traffic is destined for an internal address that does not exist it probably be best to drop the traffic. With the size of our organization and network we would need a way to block it without having to continually change rules to accommodate. Are there any options to block/drop this outbound traffic to private IPs? Thanks.

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,350
    Rep Power
    15

    Default Re: Traffic destined for Private IP Address that does not exist - AntiSpoofing

    In my policy, I have a rulebase (specifically an inline layer) that deals explicitly with traffic destined for the RFC1918 address space:

    Click image for larger version. 

Name:	Screen Shot 2017-08-14 at 5.49.31 PM.png 
Views:	24 
Size:	68.3 KB 
ID:	1304

    Basically, what I'm doing here is:

    1. Allowing specific traffic flows across subnets that I want to allow
    2. Dropping everything else

    Granted, my policy is simpler than is likely required in your environment, but hopefully it will give you an idea :)
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2015-06-23
    Posts
    11
    Rep Power
    0

    Default Re: Traffic destined for Private IP Address that does not exist - AntiSpoofing

    We ended up creating a rule to drop traffic from RFC1918 networks (excluding our DMZ networks) destined to RFC1918 networks (excluding our DMZ networks).
    Thanks PhoneBoy!

Similar Threads

  1. R75 PXE install. Directory that not exist
    By matlem037 in forum Installing And Upgrading
    Replies: 0
    Last Post: 2011-10-18, 09:32
  2. Binding to LDAP server failed w/SC behind private IP address & LDAP Server inside VPN
    By armando.ferreira in forum SmartDirectory/LDAP/Active Directory
    Replies: 0
    Last Post: 2011-08-24, 18:51
  3. Address Spoofing Internet Traffic Through VPN
    By grobicheau in forum SecureClient/SecuRemote
    Replies: 27
    Last Post: 2009-02-07, 12:10
  4. IP address of ClusterXL outgoing traffic
    By bgrenda in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 11
    Last Post: 2006-11-07, 11:19
  5. Terminating SecureClient on a private address
    By Dillan in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2006-09-13, 08:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •