IP Spoof when configuring Active Directory authentication

Hello,

 

I've a Sophos XG Firewall on a VM in my homelab (lastest release available), configured in transparent mode, so his IP is on a bridge pair.

 

I'm trying to add Active Directory Authentication, but my firewall can't connect to my primary DC. I've checked the traffic with drop-packet-capture, and the firewall drop his own traffic because of "IP_SPOOF".

 

Apparently, my Sophos XG send his packet without providing his MAC address and he drop it.

 

I've tried to add a FW rule to accept traffic from my firewall network range to my DC and to add a exclusion with the MAC of the bridge pair but that obviously did'nt worked.

 

Can you help me with that issue?

 

Thank you,

  • Thomas,

    Can you disable the spoof protection?

    And try again?

  • Hi Thomas Delcampe,

    Can you share the logs and traffic detail for this IP spoofing? 

    Thanks,

     

  • In reply to H_Patel:

    Hi,

    Spoofing is already deactivated...

    Here is a log :

    2020-02-20 20:11:36 0119021 IP 10.10.1.253.51044 > 10.10.100.1.389 : proto TCP:
    R 3947871165:3947871165(0) checksum : 50647                                    
    0x0000:  4500 0028 f55f 4000 3f06 cc5e 0a0a 01fd  E..(._@.?..^....             
    0x0010:  0a0a 6401 c764 0185 eb4f bbbd 0000 0000  ..d..d...O......             
    0x0020:  5004 0000 c5d7 0000                      P.......                     
    Date=2020-02-20 Time=20:11:36 log_id=0119021 log_type=Firewall log_component=IP_
    Spoof log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=P
    ort2 out_dev= inzone_id=2 outzone_id=0 source_mac= dest_mac= l3_protocol=IP sour
    ce_ip=10.10.1.253 dest_ip=10.10.100.1 l4_protocol=TCP source_port=51044 dest_por
    t=389 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn
    _id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=
    0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id
    =0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmar
    k=0x8001 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 c
    tflags=0 connid=975732160 masterid=0 status=398 state=8 sent_pkts=N/A recv_pkts=
    N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=
    N/A tran_dst_port=N/A 

     

    Thank youn,