Deactivate antispoofing for an IP address interface pair

In rare cases, you might need to change the default antispoofing definitions to make exceptions to antispoofing, for example, if you have defined policy routing manually.

Note: Errors in the routing configuration (in the Management Client or in the surrounding network) can cause legitimate packets to be incorrectly identified as coming from a spoofed IP address. Always make sure that the routing is configured correctly before changing antispoofing. For example, routing loops generate log messages about spoofed packets. You cannot remove routing loops by changing antispoofing.

By default, the NGFW Engine interprets the antispoofing tree by selecting the most specific entry defined in the view. For example, a definition of a single IP address is selected over a definition of a whole network. If an IP address must be allowed access through two or more interfaces, the definition for each interface must be at the same level of detail for the IP address.

For example, if Interface A contains a Host element for 192.168.10.101 and Interface B contains a Network element for 192.168.10.0/24, connections from 192.168.10.101 are considered to be spoofed if they enter through Interface B, even though the address is included in the Network element. The antispoofing configuration must be changed to allow the address from Interface B.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Right-click an NGFW Engine, then select Edit <element type>.
  3. Browse to Routing > Antispoofing.
  4. Right-click the interface, select Add, then select a Host or Network element.
  5. (Optional) If you want to allow all connections from a network through a specific interface, right-click the network that is beneath the interface, then select Absolute.
    CAUTION:
    Never mark the Any Network element as Absolute. Disabling antispoofing in this way is a security risk. Resolve large-scale antispoofing conflicts with specific antispoofing definitions or by changing routing.
    All IP addresses that belong to that network are now allowed for the interface. More specific antispoofing definitions for some addresses in the network can be defined for other interfaces.
  6. Click Save and Refresh to transfer the configuration.

Engine Editor > Routing > Antispoofing

Use this branch to view and change the antispoofing configuration.

Option Definition
Refresh View Updates the view.
Expand All Expands all levels of the routing tree.
Collapse All Collapses all levels of the routing tree.