About Spoofing Attacks

One method that attackers use to enter your network is to make an electronic false identity. This is an IP spoofing method that attackers use to send a TCP/IP packet with a different IP address than the computer that first sent it.

If you enable the global Drop Spoofing Attacks setting on your Firebox, the Firebox verifies the source IP address of a packet is from a network on the specified interface. The default configuration of the Firebox is to drop spoofing attacks.

About IP Spoofing Verification

Fireware v12.9 or higher

For internal and BOVPN virtual interfaces, the Firebox looks up the route with the source IP address. If a route exists for that interface, the route lookup succeeds, which means IP spoofing verification passes and the Firebox allows the connection. If no route is associated with the interface, the route lookup fails. This means the IP spoofing verification fails, and the Firebox denies the incoming connection.

For external interfaces, the Firebox looks up the route without a source IP address. If the route lookup determines the route is on the same interface, IP spoofing verification passes, and the Firebox allows the traffic. If the route lookup determines the output interface is different than the incoming interface, but the route is a default route, IP spoofing verification passes, and the Firebox allows the traffic. In this case, the source IP of the traffic can be reached through multiple paths, but the traffic still travels back through the same interface. If the route lookup determines the route is on a different interface, and the route is not a default route, IP spoofing verification fails, and the Firebox denies the incoming connection.

Fireware v12.8.x or lower

In Fireware v12.8.x or lower, IP spoofing verification works differently and does not apply to BOVPN virtual interfaces. For information about how the global Drop Spoofing Attacks setting can affect SD-WAN actions, see SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.

Configure IP Spoofing Verification

To protect against spoofing attacks, from Fireware Web UI:

  1. Select Firewall > Default Packet Handling.
    The Default Packet Handling page appears.

Screen shot of the Default Packet Handling page

  1. Select or clear the Drop Spoofing Attacks check box.
  2. Click Save.

To protect against spoofing attacks, from Policy Manager:

  1. Click .
    Or, select Setup > Default Threat Protection > Default Packet Handling.
    The Default Packet Handling dialog box appears.

Screen shot of the Default Packet Handling dialog box

  1. Select or clear the Drop Spoofing Attacks check box.
  2. Click OK.

See Also

About Default Packet Handling Options