CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: Antispoofing adding static route

  1. #1
    Join Date
    2016-09-03
    Posts
    10
    Rep Power
    0

    Default Antispoofing adding static route

    When I add a static route on firewall or enabling antispoofing

    ip route 192.140.12.2/29(external interface) nexthop gateway 10.232.2.2(internal interface let say eth10)

    192.x.x.x is owned by our network...
    Interface when see through show route destination command...

    When I add 192..x.x.x on Antispoofing group what exactly it means ??


    Is it any traffic comes from 192.x.x.x going to internet
    and any traffic comes from internet to 192.x.x.x on firewall should come on eth10 else it will be discarded.
    and is it also mean any traffic from internal network going to 192.x.x.x should come on eth10

  2. #2
    Join Date
    2006-06-07
    Posts
    21
    Rep Power
    0

    Default Re: Antispoofing adding static route

    Anti-Spoofing is based on the Source IP of traffic

    So if you add 10.10.10.0/24 to eth10 then it inspects the Source IP of traffic arriving on eth10 and compares with what is in the Anti-Spoofing.
    If matches against what is set on eth10 then passes the initial inspection and then passes onto the Firewall for matching against the Rulebase

    On the interface marked as External then it basically accepts as Source any address that not specified on an interface.

    In terms of the routing table then the Interface shown is the Interface that the traffic would leave on to get to that Destination.

  3. #3
    Join Date
    2014-09-02
    Posts
    344
    Rep Power
    10

    Default Re: Antispoofing adding static route

    If only I had a nickle for every hour I've spent explaining/teaching anti-spoofing...it's quite capable and simple (once understood), but far from intuitive.

    mdjmcnally is correct, but I'll take a slightly different direction:

    - Anti-spoofing basically doesn't care about the destination. If enabled on an interface, it simply compares the source address of inbound traffic (traffic just entering the firewall) against the topology definition of that interface. If the source isn't included in the selected anti-spoofing option, then it's considered "spoofed" and either prevented or detected (based on setting).
    - The default "defined by the interface IP and Net Mask" is fine if there's only that network connected to the interface.
    - It gets to be more fun when there are multiple networks connecting through that interface via router/switch/WAN/etc. In this case, all networks need to be added to a group and configured as "specific".
    - This should usually mirror the routing configuration, in that any additional networks will likely also need static routes defined to get outbound traffic where it needs to go (the switch/router/etc.).
    - If you're a "bleeding-edge" type of person, you may have seen a new anti-spoofing option in R80.20.M1: "network defined by routes". I've been waiting for this for years! While I haven't tested this yet on GA, my suspicion is that it will only work on R80.20 gateways - once available. Still, this will hopefully make things easier in the future.

    -E

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    264
    Rep Power
    12

    Default Re: Antispoofing adding static route

    Quote Originally Posted by EricAnderson View Post
    If only I had a nickle for every hour I've spent explaining/teaching anti-spoofing...it's quite capable and simple (once understood), but far from intuitive.
    I wish I had one for every time I got a TAC call for antispoofing drops and the caller swore up and down that his routing was handed to him on stone tablets by angels and could never be wrong. Then after four hours of troubleshooting, guess what. His routing was wrong.

    Quote Originally Posted by EricAnderson View Post
    - This should usually mirror the routing configuration, in that any additional networks will likely also need static routes defined to get outbound traffic where it needs to go (the switch/router/etc.).
    I would go further. There are almost no situations where your antispoofing configuration should not match your routing configuration. If you find one, something is almost always seriously wrong with that environment.

    Quote Originally Posted by EricAnderson View Post
    - If you're a "bleeding-edge" type of person, you may have seen a new anti-spoofing option in R80.20.M1: "network defined by routes". I've been waiting for this for years! While I haven't tested this yet on GA, my suspicion is that it will only work on R80.20 gateways - once available. Still, this will hopefully make things easier in the future.
    This sounds like URPF. I wonder if it is aware of dynamic routing. If so, that would be wonderful and would save me so much time. I will need to test this in the very near future.
    Zimmie

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,229
    Rep Power
    13

    Default Re: Antispoofing adding static route

    Quote Originally Posted by Bob_Zimmerman View Post
    I would go further. There are almost no situations where your antispoofing configuration should not match your routing configuration. If you find one, something is almost always seriously wrong with that environment.
    That's why in R80.20 there is a new antispoofing option on the interface topology screen: "Follow routing configuration" or something like that. Now any time a route is added/updated antispoofing will automatically match.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    264
    Rep Power
    12

    Default Re: Antispoofing adding static route

    Quote Originally Posted by ShadowPeak.com View Post
    That's why in R80.20 there is a new antispoofing option on the interface topology screen: "Follow routing configuration" or something like that. Now any time a route is added/updated antispoofing will automatically match.
    Yes, which Eric and I were just discussing later in that same message. 😉
    Zimmie

  7. #7
    Join Date
    2016-09-03
    Posts
    10
    Rep Power
    0

    Default Re: Antispoofing adding static route

    To add on my question

    I am going to add a vlan 10 to interface eth3.333 with 10.10.10.133/29
    VRRP 10.10.10.132

    to make it work why I need to add 10.10.10.129/29 to Antispoofing Group that I created on interface eth3.333
    fw01/02 fw01 fw02
    10.10.10.132 10.10.10.133 10.10.10.134

  8. #8
    Join Date
    2006-06-07
    Posts
    21
    Rep Power
    0

    Default Re: Antispoofing adding static route

    Because you need to tell the Check Point Software that is where traffic FROM that that Subnet will ARRRIVE at that interface.

    If you take a simple firewall

    eth1 - 40.40.40.40/24
    eth2 - 10.10.10.10/24
    eth3 - 172.16.0.10/24

    You then add a route 10.10.20.0/24 via 10.10.10.20 so that the Box knows how to get to the Subnet.

    You would have your Address Spoofing Configured as

    eth1 - 40.40.40.40/24 - External
    eth2 - 10.10.10.10/24 - Internal ( Specific - Group containing 10.10.10.0/24 and 10.10.20.0/24 )
    eth3 - 172.16.0.10/24 - Internal - Defined by Interface IP and Subnet Mask


    This would then allow

    traffic from 10.10.10.0/24 or 10.10.20.0/24 to ARRIVE INBOUND at eth2
    If any other IP address outside of those ARRIVES INBOUND at eth2 then will drop that traffic due to Address Spoofing
    IF you leave the 10.10.20.0/24 out of the Address Spoofing then any REPLY Traffic would get dropped as would not recognise that Traffic with a Source IP in that network should arrive on that interface.

    traffic from 172.16.0.0/24 to ARRIVE INBOUND at eth3
    If any other IP address outside of that subnet ARRIVES INBOUND at eth3 then will drop that traffic due to Address Spoofing

    By being marked as External then on eth1 then will accept Traffic with a Source IP that is not configured for eth2 or eth3 to ARRIVE INBOUND at eth1.

    This is as simple as can explain it, don't know if anyone else can

  9. #9
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,485
    Rep Power
    16

    Default Re: Antispoofing adding static route

    Quote Originally Posted by EricAnderson View Post
    - Anti-spoofing basically doesn't care about the destination. If enabled on an interface, it simply compares the source address of inbound traffic (traffic just entering the firewall) against the topology definition of that interface. If the source isn't included in the selected anti-spoofing option, then it's considered "spoofed" and either prevented or detected (based on setting).
    This is not true as anti-spoofing checks also occur after the traffic is routed.
    In fact, I had an FAQ about this exact issue back in the day.
    There's probably a copy of it somewhere on this site, but I decided to resurrect the link here: https://phoneboy.com/fw1/faq/0143.html
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. adding a static route
    By PeterSmith78 in forum R75.40 (GAiA)
    Replies: 4
    Last Post: 2017-05-16, 07:53
  2. Adding a static Route to remote network
    By mdalton in forum Topology Issues
    Replies: 6
    Last Post: 2009-05-26, 13:33
  3. NG R54 -- Adding static route
    By lybica in forum Check Point SecurePlatform (SPLAT)
    Replies: 7
    Last Post: 2008-09-12, 09:59
  4. Replies: 1
    Last Post: 2007-11-01, 10:14
  5. Adding a static route for a VPN
    By JeffN in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2007-07-02, 19:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •