Re: checkpoint FW-1 address spoofing log entries

From: La Pina Pinomunito (puno_at_puny.com)
Date: 07/30/03 

Date: Wed, 30 Jul 2003 10:42:50 +0200

"Bill F" wrote in message
> The situation is that a remote site on our wan has a checkpoint that's
> dropping packets from a single subnet from our site. The log indicates
> it's identifying the packets as address spoofed. I'm not real familiar
> with checkpoint products and wonder what if any additional
> troubleshooting features, or logging options might shed more light on
> this. We've eliminated as far as we know the question of whether they
> actually have the same network defined on the remote site. Is there a
> way to turn off name resolution so we can actually see the ip address?
>
> Here's a sample of the entries we're seeing.
>
> "2505699" "28Jul2003" "15:06:12" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "domain-udp" "alaadsdc01.global.enterprise"
> "lc_tsystems_ip" "udp" "" "1075" "" "message_info: Address spoofing; "
> "2506417" "28Jul2003" "15:07:23" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "domain-udp" "alaadsdc01.global.enterprise"
> "lc_tsystems_ip" "udp" "" "1075" "" "message_info: Address spoofing; "
> "2506665" "28Jul2003" "15:07:44" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "domain-udp" "alaadsdc01.global.enterprise"
> "lc_tsystems_ip" "udp" "" "3461" "" "message_info: Address spoofing; "
> "2507566" "28Jul2003" "15:09:32" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "domain-udp" "alaadsdc01.global.enterprise" "lc_mci_ip"
> "udp" "" "3461" "" "message_info: Address spoofing; "
> "2511516" "28Jul2003" "15:16:14" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "domain-udp" "alaadsdc01.global.enterprise"
> "lc_tsystems_ip" "udp" "" "3668" "" "message_info: Address spoofing; "
> "2513272" "28Jul2003" "15:18:54" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "http" "alaadsdc01.global.enterprise" "xx.xx.xx.xx" "tcp"
> "" "3805" "" "message_info: Address spoofing; "
> "2513792" "28Jul2003" "15:19:39" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "http" "alaadsdc01.global.enterprise" "xx.xx.xx.xx" "tcp"
> "" "3828" "" "message_info: Address spoofing; "
> "2514018" "28Jul2003" "15:20:05" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "http" "alaadsdc01.global.enterprise" "xx.xx.xx.xx" "tcp"
> "" "3843" "" "message_info: Address spoofing; "
> "2514802" "28Jul2003" "15:21:33" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "nbname" "alaadsdc01.global.enterprise" "xx.xx.xx.xx" "udp"
> "" "nbname" "" "message_info: Address spoofing; "
> "2515138" "28Jul2003" "15:22:01" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "" "alaadsdc01.global.enterprise" "xx.xx.xx.xx" "icmp" ""
> "" "" "icmp-type: 8; icmp-code: 0; message_info: Address spoofing; "
> "2522619" "28Jul2003" "15:35:52" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "http" "alaadsdc01.global.enterprise" "xx.xx.xx.xx" "tcp"
> "" "4271" "" "message_info: Address spoofing; "
> "2525101" "28Jul2003" "15:40:12" "VPN-1 & FireWall-1" "eth1c0" "saturn1"
> "Log" "Drop" "http" "alaadsdc01.global.enterprise" "xx.xx.xx.xx" "tcp"
> "" "4373" "" "message_info: Address spoofing; "

logexport -n means no dns resolution, if you mean logviewer, go on "query"
and untick name resolution, if you dumping the ifn, use -n;
about spoofing, you have to set the network trusted by checkpoint, on module
object, go on topology and set the subnets you need on the external and
internal interface topology.
bye

Relevant Pages

  • checkpoint FW-1 address spoofing log entries
    ... The situation is that a remote site on our wan has a checkpoint that's ... dropping packets from a single subnet from our site. ...
    (comp.security.firewalls)
  • Is it possible....
    ... Is it possible to have more than one site within a single subnet? ... We have a remote site connected by lightly used (but not ... Its on the same subnet as our primary site ... There may be other reasons as well why the remote site's ...
    (microsoft.public.windows.server.active_directory)
  • Re: Check Point Question
    ... > connect two remote branches into our existing VPN ... > 20 users in the other remote site ... > What Checkpoint software should i be buying, ...
    (comp.security.firewalls)