Preventing IP Spoofing (2024)

Make sure to configure Anti-Spoofing protection on all the interfaces of the Security Gateway, including internal interfaces.

To configure Anti-Spoofing for an interface:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., from the left navigation panel, click Gateways & Servers and double-click the Security Gateway object.

   The Gateway Properties window opens.

2. From the navigation tree, select Network Management.

3. Click Get Interfaces.

4. Click Accept.

   The Security Gateway network topology shows. If SmartConsole fails to automatically retrieve the topology, make sure that the details in the General Properties section are correct and the Security Gateway, the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., and the SmartConsole can communicate with each other.

5. Select an interface and click Edit.

   See Also

   Customer Community

   The interface properties window opens.

6. From the navigation tree, click General.

7. In the Topology section of the page, click Modify.

   The Topology Settings window opens.

8. In the Leads To section, select the type of network, to which this interface leads:

   • Internet (External) - This is the default setting. It is automatically calculated from the topology of the Security Gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the Gateway Properties window.
   • Override - Override the default setting.

   If you Override the default setting:

   • Internet (External) - All external/Internet addresses

   • This Network (Internal) -

     • Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface
     • Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface
     • Network defined by routes - The Security Gateway dynamically calculates the topology behind this interface. If the network of this interface changes, there is no need to click Get Interfaces and install a policy. For more, see Dynamically Updating the Security Gateway Topology.
     • Specific - A specific object (a Network, a Host, an Address Range, or a Network Group) behind this internal interface
     • Interface leads to DMZ - The DMZ that directly connects to this internal interface

9. Optional: In the Security Zone section, select User defined, check Specify Security Zone and choose the zone of the interface.

10. Configure Anti-Spoofing options (see Anti-Spoofing Options). Make sure that Perform Anti-Spoofing based on interface topology is selected.

11. Select an Anti-Spoofing action:

    • Prevent - Drops spoofed packets
    • Detect - Allows spoofed packets. To monitor traffic and to learn about the network topology without dropping packets, select this option together with the Spoof Tracking Log option.

12. Configure Anti-Spoofing exceptions (optional). For example, configure addresses, from which packets are not inspected by Anti-Spoofing:

    1. Select Don't check packets from.

    2. Select an object from the drop-down list, or click New to create a new object.

13. Configure Spoof Tracking - select the tracking action that is done when spoofed packets are detected:

    • Log - Create a log entry (default)
    • Alert - Show an alert
    • None - Do not log or alert

14. Click OK twice to save Anti-Spoofing settings for the interface.

For each interface, repeat the configuration steps. When finished, install the Access Control policy.