Checkpoint anti-spoofing problems.

If you have a Checkpoint firewall with anti-spoofing enabled, it can sometimes be confusing as to exactly what needs to be done to allow hosts on seperate interfaces to talk to each other – especially if you are not NAT’ing.

What you have to configure is a group which contains all the networks that will be behind the interface.

So you may have for example an interface say Lan 1 which has nets 192.168.0.0/24 and 192.168.1.1/24 behind it, you need to create a group for example called Lan1AntiSpoof and place these 2 network objects inside.

Once you have that group you need to configure your cluster to use that to define which nets are private and behind which interfaces.. the principle is the same for all interfaces.

right click your cluster and choose edit, Then click the topology item, click edit topology, Highlight the interface you want to configure – in this example Lan 1 and click edit, click the topology tab, and you will see an option for internal (assuming this is one of your internal interfaces) Choose the radio button specific, and select the group you created above – Lan1AntiSpoof. Save these changes and apply this new rule config. You will need to do this for all nets that are behind interfaces that are considered internal nets to be able to communicate without being blocked by the anti-spoofing rules.

If this post was useful, please click some of the ad blocks which helps me to keep this site running. Thanks!

You can follow any responses to this entry through the RSS 2.0 feed.

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This blog is kept spam free by WP-SpamFree.