Troubleshooting packets incorrectly dropped by antispoofing

You can add exceptions to antispoofing if traffic that should be allowed is incorrectly dropped as spoofed.

The antispoofing rules are automatically generated based on your routing configuration. Generally, traffic is only allowed if the IP address seen in the communications corresponds to the IP address space that is defined for routing through that interface in the Routing tree. Normally, communications require this routing information in any case for any reply packets to be correctly routed. In cases where communications are one way, however, you can make exceptions to the antispoofing in the Antispoofing tree.

By default, the antispoofing tree is read by selecting the most specific entry defined. For example, a definition of a single IP address is selected over a definition of a whole network. If some IP address must be allowed access through two or more different interfaces, the definition for each interface must be at the same level of detail for the IP address in question.

If Interface A contains a Host element for 192.168.10.101 and Interface B contains a Network element for 192.168.10.0/24, connections from 192.168.10.101 are considered spoofed if they enter through Interface B. If this behavior is not wanted, the Host element must be added also under Interface B (in addition to the Network element already included).

The preceding behavior can be changed by setting the more general setting (network) as Absolute through its right-click menu in the antispoofing tree. This setting allows the address through the interface even if there is a more specific definition attached to some other interface.

Antispoofing also discards packets that are in a routing loop: if the Firewall accepts a packet, but then receives the exact same packet again through a different interface, the Firewall drops it. This behavior does not affect communications, but saves the Firewall and other equipment in your network from handling the same packet over and over again until it finally expires. If so, you must correct the routing in your network. Often, routing loops are indicated by “NIC index changed” information in logs that discard the connection. The same packet enters the Firewall a second time, but through a different interface - usually because the device where the Firewall is configured to send the packet routes the packet right back to the Firewall.