Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Anti-spoofing Question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Anti-spoofing Question

Not applicable

I'm trying to compare checkpoint interface topology configuration to panos. Is there a setting in panos where you can define what networks are behind an interface?

5 REPLIES 5

L3 Networker

Anti-spoofing is not based on any address-book or address-group entry. It is simply based on the routes you have in your VR. In other words you need to compare route tables between your Checkpoint-GW and the PAN-device.

Thanks for your reply. My understanding of the VR is its for static routes. Since routing is based on destination, how does panos detect the source address traffic should not be passing though an interface?

No, a VR holds both static and dynamic routes, (if used).

Lets say your VR looks like this:

Route                              Gateway                    Interface

0.0.0.0/0          195.1.2.3        eth1
192.168.20.0/24    192.168.10.5     eth2

195.1.2.1/27                        eth1

192.168.10.1/24                     eth2

In the example above, using anti-spoofing on the zone with eth2 as a member interface would only allow hosts from the directly connected network 192.168.10.0/24 and the nexthop network 192.168.20.0/24 as these two networks are the only ones with valid return routes. The PAN-device extracts the source IP and source interface, (source zone) when the ingress packet arrives.

Ok. If I have networks that are not directly connected, how do I add them? Is there a document that describes adding static routes and defining networks in the VR?

Yes, that my friend is in the manual. In the gui simply click the VR, Add the route (network/mask/gw) and commit. Thats about it.

  • 5684 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!