Examples of route selection and antispoofing definitions

The more specific destination is considered first in routing

1

Traffic with a destination address from 192.168.8.0/24 is routed through router2 because it is the most specific route to those destinations.

2

All other traffic with a destination address from 192.168.0.0/16 is routed through router1 because it remains the most specific route to those destinations.

3

Interface 1 is directly connected to the 192.168.11.0/24 network. Traffic with a destination address from 192.168.11.0/24 is routed there because it is the most specific route to those destinations.

4

Traffic with a destination address of 192.168.8.111 is routed through router 3 because host-111 (192.168.8.111) has the most specific address.

Only the most specific destination is considered valid in antispoofing

If an interface receives a packet with a source address that is not a valid address for the networks connected to that interface, the packet is discarded. This is the case, for example, when an external interface receives a packet with an internal source. The NGFW Engine selects the most specific antispoofing definition it finds for each packet. The following antispoofing configuration is based on the previous routing example.

1

Traffic from host-111 (192.168.8.111) is discarded if it originates from Interface 0 because it has the less specific definition for that address (network 192.168.8.0/24).

2

Traffic from host-111 (192.168.8.111) is only considered valid if it originates from Interface 1 because it has the most specific route to the address of the host.

Both interfaces are valid because they are equally specific

1

Both Interface 0 and Interface 1 are considered valid sources for host-111 (192.168.8.111) because the Host element is beneath both interfaces. The plus sign on the host on Interface 0 indicates that the host was manually added to the configuration. Traffic can originate from both Interface 0 and Interface 1.