hi
please check
* you anti-spoofing-settings, try to do a "get interfaces with topology" again
* if your NAT is defined in the host-objects, or is this manual NAT
* your NAT-settings in the global-properties
cheers
reinhard
At 16:41 26.05.2004, you wrote:
Upgraded from FP2 to R55, moved the rules over with upgrade_import/export. All
that worked fine.
However, in my SmartTracker I'm now seeing a number of packets being dropped
due to "Address Spoofing". Most of the traffic being dropped is legitmate
traffic either trying to do DNS queries, or get to our webserver. The IP
addresess being dropped are all real, routable IPs.
Our firewall does static NAT for a number of servers behind it. It also
maintains a VPN connection to our internal network at the office, which uses
non-routable address space.
hme0 is external, hme1 is internal.
Some of the dropped packets (sanitized), Firewall-1 IP 216.210.2.1, static NAT
IPs start with 216.210.2.x, Internal IPs with 10.0.x.x, the rest are remote
clients (connecting)):
Number: 780
Date: 26May2004
Time: 8:12:37
Product: VPN-1 & FireWall-1
Interface: hme1
Origin: fw1host (216.210.2.1)
Type: Log
Action: Drop
Service: https (443)
Source: remote-client.com (64.82.12.37)
Destination: staticnatweb (216.210.2.10)
Protocol: tcp
Source Port: 39532
Information: message_info: Address spoofing
Number: 781
Date: 26May2004
Time: 8:12:45
Product: VPN-1 & FireWall-1
Interface: hme1
Origin: fw1host (216.210.2.1)
Type: Log
Action: Drop
Service: https (443)
Source: 10.0.121.114
Destination: internalweb (10.0.120.10)
Protocol: tcp
Source Port: 3816
Information: message_info: Address spoofing
Number: 764
Date: 26May2004
Time: 8:11:47
Product: VPN-1 & FireWall-1
Interface: hme1
Origin: fw1host (216.210.2.1)
Type: Log
Action: Drop
Service: https (443)
Source: remote-client2.com (214.201.34.2)
Destination: staticnatweb (216.210.2.10)
Protocol: tcp
Source Port: 18312
Information: message_info: Address spoofing
Even with a -lot- of these types of dropped packets, everything appears to
work fine. Clients are all able to connect (even when they have dropped
packets logged).
Any ideas? It isn't strictly internal (VPN) IPs that are getting logged as
spoofed, and this is what confuses me.
Thanks,
Chris
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
--
Reinhard Stich ASSIST R.Stich AT internet-security DOT at
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
