topic Re: Anti-spoofing Question in General Topics

Anti-spoofing Question

probin02 — Wed, 23 Nov 2011 05:28:22 GMT

I'm trying to compare checkpoint interface topology configuration to panos. Is there a setting in panos where you can define what networks are behind an interface?

Re: Anti-spoofing Question

rapoint_person — Wed, 23 Nov 2011 09:35:24 GMT

Anti-spoofing is not based on any address-book or address-group entry. It is simply based on the routes you have in your VR. In other words you need to compare route tables between your Checkpoint-GW and the PAN-device.

Re: Anti-spoofing Question

probin02 — Wed, 23 Nov 2011 13:28:28 GMT

Thanks for your reply. My understanding of the VR is its for static routes. Since routing is based on destination, how does panos detect the source address traffic should not be passing though an interface?

Re: Anti-spoofing Question

rapoint_person — Wed, 23 Nov 2011 14:23:08 GMT

No, a VR holds both static and dynamic routes, (if used).

Lets say your VR looks like this:

Route Gateway Interface

0.0.0.0/0 195.1.2.3 eth1
192.168.20.0/24 192.168.10.5 eth2

195.1.2.1/27 eth1

192.168.10.1/24 eth2

In the example above, using anti-spoofing on the zone with eth2 as a member interface would only allow hosts from the directly connected network 192.168.10.0/24 and the nexthop network 192.168.20.0/24 as these two networks are the only ones with valid return routes. The PAN-device extracts the source IP and source interface, (source zone) when the ingress packet arrives.

Re: Anti-spoofing Question

probin02 — Wed, 23 Nov 2011 15:51:44 GMT

Ok. If I have networks that are not directly connected, how do I add them? Is there a document that describes adding static routes and defining networks in the VR?

Re: Anti-spoofing Question

rapoint_person — Wed, 23 Nov 2011 16:37:12 GMT

Yes, that my friend is in the manual. In the gui simply click the VR, Add the route (network/mask/gw) and commit. Thats about it.