CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: How to install policy with comms from mgmt server blocked by antispoofing

  1. #1
    Join Date
    2017-11-01
    Posts
    37
    Rep Power
    0

    Default How to install policy with comms from mgmt server blocked by antispoofing

    Hi all,
    As subject says, anyway to get a policy to a gateway that has comms to and from management server blocked by anti spoofing?

    fw fetch no luck either.

    My only other solution is fw unloadlocal.

    Regards

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,220
    Rep Power
    13

    Default Re: How to install policy with comms from mgmt server blocked by antispoofing

    Obviously you didn't see my CPX presentation.

    fw ctl set int fw_antispoofing_enabled 0
    sim feature anti_spoofing off ; fwaccel off ; fwaccel on
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,480
    Rep Power
    16

    Default Re: How to install policy with comms from mgmt server blocked by antispoofing

    You can see Tim's excellent presentation at CPX (as well as a bunch of other ones) here: https://community.checkpoint.com/doc...60-slides-2018
    You can also see a video of me poorly presenting said presentation
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  4. #4
    Join Date
    2017-11-01
    Posts
    37
    Rep Power
    0

    Default Re: How to install policy with comms from mgmt server blocked by antispoofing

    All,

    I did see your presentation! I was there, and I have used the command several times but they are not working in this instance. Traffic still dropped by local interface address spoofing.

    Would this work for local interface spoofing?

    Also struggling to figure out why on earth it is getting dropped. All static routes seems fine.

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default Re: How to install policy with comms from mgmt server blocked by antispoofing

    Quote Originally Posted by JPYDX View Post
    All,

    I did see your presentation! I was there, and I have used the command several times but they are not working in this instance. Traffic still dropped by local interface address spoofing.

    Would this work for local interface spoofing?

    Also struggling to figure out why on earth it is getting dropped. All static routes seems fine.
    That is a completely different beast. Interface spoofing can not be addressed with address spoofing.

    Do you by chance have more then one cluster on the same vlan? What about checking for ip conflicts? Could also be a route loop Combined with hide nat to cluster vip.

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,220
    Rep Power
    13

    Default Re: How to install policy with comms from mgmt server blocked by antispoofing

    Quote Originally Posted by JPYDX View Post
    All,

    I did see your presentation! I was there, and I have used the command several times but they are not working in this instance. Traffic still dropped by local interface address spoofing.

    Would this work for local interface spoofing?

    Also struggling to figure out why on earth it is getting dropped. All static routes seems fine.
    fw ctl set int fw_local_interface_anti_spoofing 0

    I don't think you need to turn this off in SecureXL as well. Frankly you have something else seriously wrong if you need to disable this, and I doubt everything will start working when you do.
    Last edited by ShadowPeak.com; 2018-03-09 at 09:09.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  7. #7
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,480
    Rep Power
    16

    Default Re: How to install policy with comms from mgmt server blocked by antispoofing

    Quote Originally Posted by ShadowPeak.com View Post
    fw ctl set int fw_local_interface_anti_spoofing 0
    The only place I've seen where this is needed is when you're listening off a SPAN port and the gateway sees it's own traffic from the management port on it.
    Part of that old "can't see the same packet twice" rule
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default Re: How to install policy with comms from mgmt server blocked by antispoofing

    Or a bridge firewall with a dedicated mgmt interface that needs internet access, which would then route through the internal interface of the bridge, but there is some newer way to handle that. Some magic packet remembering thingie. Its in the advanced .. uh.. tech admin guide? Whatever that is called.

Similar Threads

  1. Install Policy without Mgmt server
    By akchakravarthi09 in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 3
    Last Post: 2013-05-30, 21:17
  2. Single NIC on Laptop - Cannot install policy - Antispoofing
    By cooluswiz in forum Check Point SecurePlatform (SPLAT)
    Replies: 5
    Last Post: 2012-05-18, 11:13
  3. Policy restoration from Enforcement Module to Smart Mgmt server
    By kganesh in forum Management High Availability
    Replies: 6
    Last Post: 2007-10-17, 12:23
  4. Policy Server R50 on R55 install?
    By viper8 in forum Installing And Upgrading
    Replies: 1
    Last Post: 2007-04-20, 14:08
  5. Policy server install
    By eldo37 in forum Installing And Upgrading
    Replies: 17
    Last Post: 2007-02-21, 19:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •