Deactivate antispoofing for an IP address interface pair
In rare cases, you might need to change the default antispoofing definitions to make exceptions to antispoofing, for example, if you have defined policy routing manually.
By default, the NGFW Engine interprets the antispoofing tree by selecting the most specific entry defined in the view. For example, a definition of a single IP address is selected over a definition of a whole network. If an IP address must be allowed access through two or more interfaces, the definition for each interface must be at the same level of detail for the IP address.
For example, if Interface A contains a Host element for 192.168.10.101 and Interface B contains a Network element for 192.168.10.0/24, connections from 192.168.10.101 are considered to be spoofed if they enter through Interface B, even though the address is included in the Network element. The antispoofing configuration must be changed to allow the address from Interface B.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor – Routing – Antispoofing
Use this branch to view and change the engine's antispoofing configuration.
Option | Definition |
---|---|
Refresh View | Updates the view. |
Expand All | Expands all levels of the routing tree. |
Collapse All | Collapses all levels of the routing tree. |