Apparent error in applying antispoofing rule

Hello,

I have this customer that recently deployed a new server on
one his
firewall's DMZs (NGX R65 HA cluster over SPLAT), users from
the internal
networks have no problem accessing the server but traffic
from a particular
IP range on the outside (not Internet but a WAN from the
same company) is
being dropped and the logs say it is because of the
antispoofing rule.

The source of the dropped traffic comes in fact from a
10.x.x.x network, but
we checked all the network and object groups configured on
each internal
interface topology (one internal, 2 DMZs), for antispoofing,
and there is no
way that particular IP range would be overlapping with any
of them.
Furthermore the destination IP of the new server on the DMZ
is in fact
contained on the group assigned to that particular DMZ
interface, so
apparently there is no logical reason why the firewall would
drop the
traffic for antispoofing.

Has anybody seen something like this before?

Regards

-- 
Sergio Alvarez
(506)8301342


Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sergio Alvarez <seralvarGMAIL.COM> wrote:
>
> The source of the dropped traffic comes in fact from a
10.x.x.x
> network, but we checked all the network and object
groups configured
> on each internal interface topology (one internal, 2
DMZs), for
> antispoofing, and there is no way that particular IP
range would be
> overlapping with any of them.

In nearly every anti-spoofing case I have checked, the
firewall has been
right, and I was wrong.  And in the one case that I can
think of where
it was inconclusive, the firewall was probably still right,
and I just
couldn't see it.

Look closely at at the anti-spoof log entry, and pay
attention to the
Interface column that is being named.  Also pay attention to
the
direction that the packet is traveling (in or out) through
the interface.

If the packet is inbound, then Checkpoint believes that
packet should
not be appearing on that interface, because the SOURCE
address of the
packet does not match the anti-spoof definition for that
interface, or
it DOES match the definition for one of the OTHER
interfaces.

If the packet is outbound, then the DESTINATION address of
the packet
does not match the anti-spoof definition for the interface,
or it
matches one of the OTHER interfaces (meaning the packet
should have been
routed to that interface instead of thise one).

Usually, paying close attention to the particular interface
being named,
and thinking carefully about your routing topology, should
yield the
answer as to what the firewall things is wrong.

- -- 
David DeSimone == Network Admin == foxverio.net
"This email message is intended for the use of the
person to whom
 it has been sent, and may contain information that is
confidential
 or legally protected.  If you are not the intended
recipient or have
 received this message in error, you are not authorized to
copy, dis-
 tribute, or otherwise use this message or its attachments. 
Please
 notify the sender immediately by return e-mail and
permanently delete
 this message and any attachments.  Verio, Inc. makes no
warranty that
 this email is error or virus free.  Thank you." 
--Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFH0jvpFSrKRjX5eCoRAl0pAJ4641sk/ARcRwGVZ6b3+sm0RGDtnwCd
FN8d
F03OTZ2q5Tu3kAb5jt89TsQ=
=bIhI
-----END PGP SIGNATURE-----

Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sergio Alvarez wrote:
| Hello,
|
| I have this customer that recently deployed a new server
on one his
| firewall's DMZs (NGX R65 HA cluster over SPLAT), users
from the internal
| networks have no problem accessing the server but traffic
from a
particular
| IP range on the outside (not Internet but a WAN from the
same company) is
| being dropped and the logs say it is because of the
antispoofing rule.
|
| The source of the dropped traffic comes in fact from a
10.x.x.x
network, but
| we checked all the network and object groups configured on
each internal
| interface topology (one internal, 2 DMZs), for
antispoofing, and there
is no
| way that particular IP range would be overlapping with any
of them.
| Furthermore the destination IP of the new server on the
DMZ is in fact
| contained on the group assigned to that particular DMZ
interface, so
| apparently there is no logical reason why the firewall
would drop the
| traffic for antispoofing.

I just found a similar issue with a customer. I asked him to
send me a
fw monitor output. The SYN packet as there 4 times as
expected. But the
SYN+ACK packet was in there 5 times.

The reason was a config error in a third-party router.

I suggest you track this with the proper fw monitor command
and see what
goes on when you open the packet capture in wireshark.

Hugo.

PS: fw monitor syntax details can be found in Check Point
documentation.
But I usually point my customers to http://decock.org/ginspec
t/

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of
conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFH0pkyBvzDRVjxmYERArBHAJ9ujPwif6qbAxXCKuc1DT83z2v3QwCg
n0l/
JrtgL+4LdPJyfTfbZP+5SSQ=
=jU/w
-----END PGP SIGNATURE-----

Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Thanks Hugo and David,

I will be going to my customer's offices on monday and will
check that you
suggest.

BTW great link Hugo! I'm already familiar with fwmonitor but
that tool is
extremely useful.

Regards

On Sat, Mar 8, 2008 at 7:48 AM, Hugo van der Kooij
<hvdkooijvanderkooij.org>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sergio Alvarez wrote:
> | Hello,
> |
> | I have this customer that recently deployed a new
server on one his
> | firewall's DMZs (NGX R65 HA cluster over SPLAT),
users from the internal
> | networks have no problem accessing the server but
traffic from a
> particular
> | IP range on the outside (not Internet but a WAN from
the same company)
> is
> | being dropped and the logs say it is because of the
antispoofing rule.
> |
> | The source of the dropped traffic comes in fact from
a 10.x.x.x
> network, but
> | we checked all the network and object groups
configured on each internal
> | interface topology (one internal, 2 DMZs), for
antispoofing, and there
> is no
> | way that particular IP range would be overlapping
with any of them.
> | Furthermore the destination IP of the new server on
the DMZ is in fact
> | contained on the group assigned to that particular
DMZ interface, so
> | apparently there is no logical reason why the
firewall would drop the
> | traffic for antispoofing.
>
> I just found a similar issue with a customer. I asked
him to send me a
> fw monitor output. The SYN packet as there 4 times as
expected. But the
> SYN+ACK packet was in there 5 times.
>
> The reason was a config error in a third-party router.
>
> I suggest you track this with the proper fw monitor
command and see what
> goes on when you open the packet capture in wireshark.
>
> Hugo.
>
> PS: fw monitor syntax details can be found in Check
Point documentation.
> But I usually point my customers to http://decock.org/ginspec
t/
>
> - --
> hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
> PGP/GPG <http://hugo.
vanderkooij.org/PGP/GPG>? Use:
> http://hug
o.vanderkooij.org/0x58F19981.asc
>
>        A: Yes.
>        >Q: Are you sure?
>        >>A: Because it reverses the logical flow
of conversation.
>        >>>Q: Why is top posting frowned upon?
>
> Bored? Click on http://spamornot.org/ and
rate those images.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
>
iD8DBQFH0pkyBvzDRVjxmYERArBHAJ9ujPwif6qbAxXCKuc1DT83z2v3QwCg
n0l/
> JrtgL+4LdPJyfTfbZP+5SSQ=
> =jU/w
> -----END PGP SIGNATURE-----
>
> Scanned by Check Point Total Security Gateway.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342


Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

hi,

also have a detailed view at your switch-config (in case you
have VLANs).

I have seen different szenarios where switches forward
packets at 
interfaces where they should not be forwarded (because of
bugs or 
config-problems).

br
reinhard

At 14:48 08.03.2008, Hugo van der Kooij wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Sergio Alvarez wrote:
>| Hello,
>|
>| I have this customer that recently deployed a new
server on one his
>| firewall's DMZs (NGX R65 HA cluster over SPLAT), users
from the internal
>| networks have no problem accessing the server but
traffic from a
>particular
>| IP range on the outside (not Internet but a WAN from
the same company) is
>| being dropped and the logs say it is because of the
antispoofing rule.
>|
>| The source of the dropped traffic comes in fact from a
10.x.x.x
>network, but
>| we checked all the network and object groups
configured on each internal
>| interface topology (one internal, 2 DMZs), for
antispoofing, and there
>is no
>| way that particular IP range would be overlapping with
any of them.
>| Furthermore the destination IP of the new server on
the DMZ is in fact
>| contained on the group assigned to that particular DMZ
interface, so
>| apparently there is no logical reason why the firewall
would drop the
>| traffic for antispoofing.
>
>I just found a similar issue with a customer. I asked
him to send me a
>fw monitor output. The SYN packet as there 4 times as
expected. But the
>SYN+ACK packet was in there 5 times.
>
>The reason was a config error in a third-party router.
>
>I suggest you track this with the proper fw monitor
command and see what
>goes on when you open the packet capture in wireshark.
>
>Hugo.
>
>PS: fw monitor syntax details can be found in Check
Point documentation.
>But I usually point my customers to http://decock.org/ginspec
t/
>
>- --
>hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
>PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc
>
>         A: Yes.
>         >Q: Are you sure?
>         >>A: Because it reverses the logical flow
of conversation.
>         >>>Q: Why is top posting frowned
upon?
>
>Bored? Click on http://spamornot.org/ and
rate those images.
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.7 (GNU/Linux)
>
>iD8DBQFH0pkyBvzDRVjxmYERArBHAJ9ujPwif6qbAxXCKuc1DT83z2v3
QwCgn0l/
>JrtgL+4LdPJyfTfbZP+5SSQ=
>=jU/w
>-----END PGP SIGNATURE-----
>
>Scanned by Check Point Total Security Gateway.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================

-- 
Reinhard Stich          r.stichinternet-security.at
Internet Security AG,      1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 


Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,

I have seen a similar issue once. As Rainhard mentionned, it
was  
related to bad routing (it  was correctly dropped by
antispoofing  
because the traffic was returning thru another fw
interface).

Best regards,

Stefan

Am 08.03.2008 um 15:28 schrieb Reinhard Stich:

> hi,
>
> also have a detailed view at your switch-config (in
case you have  
> VLANs).
>
> I have seen different szenarios where switches forward
packets at  
> interfaces where they should not be forwarded (because
of bugs or  
> config-problems).
>
> br
> reinhard
>
> At 14:48 08.03.2008, Hugo van der Kooij wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Sergio Alvarez wrote:
>> | Hello,
>> |
>> | I have this customer that recently deployed a new
server on one his
>> | firewall's DMZs (NGX R65 HA cluster over SPLAT),
users from the  
>> internal
>> | networks have no problem accessing the server but
traffic from a
>> particular
>> | IP range on the outside (not Internet but a WAN
from the same  
>> company) is
>> | being dropped and the logs say it is because of
the antispoofing  
>> rule.
>> |
>> | The source of the dropped traffic comes in fact
from a 10.x.x.x
>> network, but
>> | we checked all the network and object groups
configured on each  
>> internal
>> | interface topology (one internal, 2 DMZs), for
antispoofing, and  
>> there
>> is no
>> | way that particular IP range would be overlapping
with any of them.
>> | Furthermore the destination IP of the new server
on the DMZ is in  
>> fact
>> | contained on the group assigned to that
particular DMZ interface,  
>> so
>> | apparently there is no logical reason why the
firewall would drop  
>> the
>> | traffic for antispoofing.
>>
>> I just found a similar issue with a customer. I
asked him to send  
>> me a
>> fw monitor output. The SYN packet as there 4 times
as expected. But  
>> the
>> SYN+ACK packet was in there 5 times.
>>
>> The reason was a config error in a third-party
router.
>>
>> I suggest you track this with the proper fw monitor
command and see  
>> what
>> goes on when you open the packet capture in
wireshark.
>>
>> Hugo.
>>
>> PS: fw monitor syntax details can be found in Check
Point  
>> documentation.
>> But I usually point my customers to http://decock.org/ginspec
t/
>>
>> - --
>> hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
>> PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc
>>
>>        A: Yes.
>>        >Q: Are you sure?
>>        >>A: Because it reverses the logical
flow of conversation.
>>        >>>Q: Why is top posting frowned
upon?
>>
>> Bored? Click on http://spamornot.org/ and
rate those images.
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.7 (GNU/Linux)
>>
>>
iD8DBQFH0pkyBvzDRVjxmYERArBHAJ9ujPwif6qbAxXCKuc1DT83z2v3QwCg
n0l/
>> JrtgL+4LdPJyfTfbZP+5SSQ=
>> =jU/w
>> -----END PGP SIGNATURE-----
>>
>> Scanned by Check Point Total Security Gateway.
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages,
>> send an email to LISTSERVamadeus.us.checkpoint.com
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http:
//www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email
>> fw-1-ownerts.checkpoint.com
>> =================================================
>
> -- 
> Reinhard Stich          r.stichinternet-security.at
> Internet Security AG,      1150 Wien, Johnstrasse 29
> Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
>
> Scanned by Check Point Total Security Gateway.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================


Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================