Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
51525354555657585960
Chapter 6 Troubleshooting Anti-Spoofing Common Problems Resolution
Advanced Technical Reference Guide 4.1 June 2000 50
How to configure anti-spoofing with DHCP protocol
DHCP requests are being dropped on rule 0 in the log.
This is because FireWall-1 triggers the Anti-Spoofing, since it detects illegal addresses being broadcast when
DHCP requests from the workstations try to get an IP address. This is seen by the FireWall as a spoof attempt.
To solve this,
1. Set up three Network Objects:
One group/network with the IP addresses of the network
A second object of type 'workstation' with an address of 0.0.0.0
A third object of type 'workstation' with an address of 255.255.255.255
2. Put them all in an Anti-Spoofing group
3. Apply that group to your interface for Anti-spoofing and install the new policy
See the SecureKnowledge Solution (ID: 3.0.216192.2211274) in the Check Point Technical Services site.
How to prevent broadcast messages from being rejected as spoofing
attacks
There are two types of broadcast packets: those with a destination IP of 255.255.255.255 (which are broadcast
all over the network) and those with a destination IP that is the IP of the network, with 1s in all the IP bits.
To include the first type, create a network object of type computer with the IP address 255.255.255.255. Then,
create a group which will include both the localnet and the computer (broadcast-ip might not be a bad name for
it) and put that group instead of the localnet as the allowed IP of the interface. You would also want the external
interface to be not "others" but "others + broadcast-ip" because broadcasts can come from either direction.
To include the second type, check the "allow broadcasts" checkbox in the network's Network Object's
Properties window.
See the SecureKnowledge Solution (ID: 36.0.2008729.2505025) in the Check Point Technical Services site.
Static ARP and Anti-Spoofing
ARP (address resolution protocol) is not an IP protocol. It is not forwarded to the TCP/IP protocol stack, so
VPN-1/FireWall-1 does not filter it. However, it cannot be used to compromise the security of the internal
network, because even if it causes a routing problem, anti-spoofing would still detect it.