Hi, I need some help with configuring anti spoofing on an internet facing interface within a checkpoint NG cluster. When I configure anti spoofing on the internet facing interface, checkpoint comes back with an error saying that I need to configure topology information for another (non-internet facing) interface first, in order to use the anti spoofing feature. It only gives the error for one interface on one firewall in the cluster. I don't want to configure anti spoofing on this internal interface at this time, only on the external interface. Any ideas on what I am doing wrong? Thanks
Sorry, Im pretty sure you have to set it up all or nothing. The spoofing code is trying to determine which IPs belong on which side of the firewall. Configuring one side only doesnt give the firewall this information.
How else would it know the difference between a spoofed packet and a real one? (i.e. sending that 192.168.1.5 address in the outside nic)
Thanks, that's makes perfect sense. None of the other interfaces on this firewall are set up, and the error message does seem to indicate that I need to have it configured on the other interfaces as well.
