cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

How do you turn off the firewall “spoofing” messages?

Jump to solution

How do you turn off the firewall “spoofing” messages?

1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: How do you turn off the firewall “spoofing” messages?

Jump to solution

travisrigby:

Thank you for posting this question.  Firewall threat messages could possibly be attacks, but not necessarily as they could also be caused by misconfigurations or peculiarities in the network. In AOS, threats have been categorized and been assigned a weight based on their possible severity. Threats with a higher severity have the potential to be more compromising to hosts behind the firewall than threats with a lower severity.

The threat you have displayed above is a minor threat, and virtually can be ignored.  You can disable this message from appearing on the CLI, per session, by issuing the no events command.  For future reference I have detailed this particular threat below, as described in our IPv4 Firewall Protection in AOS guide:

Short Definition: Spoofing detected

Description: The firewall drops any packets with a source IP address that appears to be spoofed. The IPv4 route table is used to determine if a path to the source address is known (out of the IP interface from which the packet was received). For example, if a packet with a source IP address of 10.10.10.1 is received on interface FR 1.16 and no route to 10.10.10.1 (through interface FR 1.16) exists in the route table, the packet is dropped. Traffic that bypasses spoofing checks includes packets from the router itself, Dynamic Host Configuration Protocol (DHCP) traffic, multicast and routing protocol traffic, and Virtual Router Redundancy Protocol (VRRP) traffic. Spoofing detection can be turned off on individual ACPs to allow policy-based routing (PBR) or for any other case in which it would drop traffic that should not be dropped.


Indicates the receipt of a packet on a different ACP than determined by a route lookup on the source of the packet. The firewall performs a route lookup on the source of packets to determine whether they have arrived on the correct ACP. A packet arriving on a different ACP than indicated by a route lookup may be spoofed. In certain routing configurations (e.g., when policy-based routing (PBR) can act on certain packets of the flow), you might want to allow traffic to arrive on an ACP that differs from the results of the route lookup. If this is desired, use the command no ip policy-class <name> rpf-check to disable the reverse path forwarding check for packets arriving at that ACP.

Action: The firewall drops the offending packet.


I hope that makes sense, but please do not hesitate to reply if you have further questions on this topic.


Levi

View solution in original post

3 Replies
Anonymous
Not applicable

Re: How do you turn off the firewall “spoofing” messages?

Jump to solution

travisrigby:

Thank you for posting this question.  Firewall threat messages could possibly be attacks, but not necessarily as they could also be caused by misconfigurations or peculiarities in the network. In AOS, threats have been categorized and been assigned a weight based on their possible severity. Threats with a higher severity have the potential to be more compromising to hosts behind the firewall than threats with a lower severity.

The threat you have displayed above is a minor threat, and virtually can be ignored.  You can disable this message from appearing on the CLI, per session, by issuing the no events command.  For future reference I have detailed this particular threat below, as described in our IPv4 Firewall Protection in AOS guide:

Short Definition: Spoofing detected

Description: The firewall drops any packets with a source IP address that appears to be spoofed. The IPv4 route table is used to determine if a path to the source address is known (out of the IP interface from which the packet was received). For example, if a packet with a source IP address of 10.10.10.1 is received on interface FR 1.16 and no route to 10.10.10.1 (through interface FR 1.16) exists in the route table, the packet is dropped. Traffic that bypasses spoofing checks includes packets from the router itself, Dynamic Host Configuration Protocol (DHCP) traffic, multicast and routing protocol traffic, and Virtual Router Redundancy Protocol (VRRP) traffic. Spoofing detection can be turned off on individual ACPs to allow policy-based routing (PBR) or for any other case in which it would drop traffic that should not be dropped.


Indicates the receipt of a packet on a different ACP than determined by a route lookup on the source of the packet. The firewall performs a route lookup on the source of packets to determine whether they have arrived on the correct ACP. A packet arriving on a different ACP than indicated by a route lookup may be spoofed. In certain routing configurations (e.g., when policy-based routing (PBR) can act on certain packets of the flow), you might want to allow traffic to arrive on an ACP that differs from the results of the route lookup. If this is desired, use the command no ip policy-class <name> rpf-check to disable the reverse path forwarding check for packets arriving at that ACP.

Action: The firewall drops the offending packet.


I hope that makes sense, but please do not hesitate to reply if you have further questions on this topic.


Levi

Anonymous
Not applicable

Re: How do you turn off the firewall “spoofing” messages?

Jump to solution

travisrigby:

I have marked this post as "assumed answered," but do not hesitate to reply to this thread if you have further questions on this topic.  I will be happy to help.

Levi

Anonymous
Not applicable

Re: How do you turn off the firewall “spoofing” messages?

Jump to solution

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor