11-22-2011 09:28 PM
I'm trying to compare checkpoint interface topology configuration to panos. Is there a setting in panos where you can define what networks are behind an interface?
11-23-2011 01:35 AM
Anti-spoofing is not based on any address-book or address-group entry. It is simply based on the routes you have in your VR. In other words you need to compare route tables between your Checkpoint-GW and the PAN-device.
11-23-2011 05:28 AM
Thanks for your reply. My understanding of the VR is its for static routes. Since routing is based on destination, how does panos detect the source address traffic should not be passing though an interface?
11-23-2011 06:23 AM
No, a VR holds both static and dynamic routes, (if used).
Lets say your VR looks like this:
Route Gateway Interface
0.0.0.0/0 195.1.2.3 eth1
192.168.20.0/24 192.168.10.5 eth2
195.1.2.1/27 eth1
192.168.10.1/24 eth2
In the example above, using anti-spoofing on the zone with eth2 as a member interface would only allow hosts from the directly connected network 192.168.10.0/24 and the nexthop network 192.168.20.0/24 as these two networks are the only ones with valid return routes. The PAN-device extracts the source IP and source interface, (source zone) when the ingress packet arrives.
11-23-2011 07:51 AM
Ok. If I have networks that are not directly connected, how do I add them? Is there a document that describes adding static routes and defining networks in the VR?
11-23-2011 08:37 AM
Yes, that my friend is in the manual. In the gui simply click the VR, Add the route (network/mask/gw) and commit. Thats about it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
