CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: spoofing question.....

  1. #1
    Join Date
    2012-10-03
    Posts
    72
    Rep Power
    7

    Default spoofing question.....

    Hi all. R77.30 \ gaia. Distributed environment - 15 sites, each with a CP 4000 appliance cluster.

    Each site has a single port MPLS solution which provides any-to-any connectivity to all of our other sites (private), and internet connectivity. In order to accomplish the two separate paths, we have 2 tagged VLANS . Based on destination, our gateway will tag and hand-off to a specific provider gateway. So.. on the VLAN interface for MPLS traffic, i have spoofing set to "internal", and for the internet VLAN, spoofing is set to "external". Everything works great, no problems.

    But wait... After doing this for about 7 years, our provider is forcing us into their "newer" solution. They are removing the two VLAN scenario, and will handle all routing based on destination from one gateway. There will be one physical interface to the outside world - private and public, so there would be only one route per gateway, the 0 default. Since there could be public or private source\destinations behind that one physical interface, it seems like i'll have to turn spoofing off for it? Or am i missing something?

    thanks

    Danny

  2. #2
    Join Date
    2007-06-04
    Posts
    3,268
    Rep Power
    16

    Default Re: spoofing question.....

    External in Topology is simply saying that this is where IP addresses that not specified on another interface will be permitted as source

    As the MPLS Traffic not specified on another interface then would match the External.

    Internal simply allows you to set a specified ip address's permitted as source through there.

    DMZ is there for the Threat Prevention Blades

    NO need to turn spoofing off.

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,625
    Rep Power
    9

    Default Re: spoofing question.....

    Doesn't antispoofing require 2 interfaces? Not sure if sync counts in that list or not.

    How does the routing look? Still just one default route?

  4. #4
    Join Date
    2012-10-03
    Posts
    72
    Rep Power
    7

    Default Re: spoofing question.....

    Quote Originally Posted by jflemingeds View Post
    Doesn't antispoofing require 2 interfaces? Not sure if sync counts in that list or not.

    How does the routing look? Still just one default route?
    Yep, one route - default, pointing to the provider and they would handle site to site routing in addition to the internet. In the current config, i have the the interface that is set to the MPLS vlan set to internal, populated with a group of networks that are at every other private MPLS site. in the next gen config, setting that MPLS\Internet interface to external sure makes things simpler

Similar Threads

  1. Spoofing question - redundant links
    By DannyW in forum R77.30
    Replies: 8
    Last Post: 2017-01-25, 13:22
  2. Anti-Spoofing - Question how to configure
    By bytes in forum Miscellaneous
    Replies: 3
    Last Post: 2010-08-02, 09:16
  3. Question about Topology and Anti-Spoofing
    By joeman in forum Topology Issues
    Replies: 1
    Last Post: 2009-12-09, 19:02
  4. Urgent question for you guys on anti spoofing.
    By Routerkid1 in forum Topology Issues
    Replies: 8
    Last Post: 2008-09-07, 17:54
  5. Anti-spoofing vs Local interface address spoofing
    By braintek in forum Topology Issues
    Replies: 1
    Last Post: 2007-03-23, 15:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •