This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IP Spoof when configuring Active Directory authentication

Hello,

I've a Sophos XG Firewall on a VM in my homelab (lastest release available), configured in transparent mode, so his IP is on a bridge pair.

I'm trying to add Active Directory Authentication, but my firewall can't connect to my primary DC. I've checked the traffic with drop-packet-capture, and the firewall drop his own traffic because of "IP_SPOOF".

Apparently, my Sophos XG send his packet without providing his MAC address and he drop it.

I've tried to add a FW rule to accept traffic from my firewall network range to my DC and to add a exclusion with the MAC of the bridge pair but that obviously did'nt worked.

Can you help me with that issue?

Thank you,

This thread was automatically locked due to age.

Parents

0 FormerMember over 4 years ago

Hi Thomas Delcampe,

Can you share the logs and traffic detail for this IP spoofing?

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Thomas Delcampe over 4 years ago in reply to FormerMember

Hi,

Spoofing is already deactivated...

Here is a log :

2020-02-20 20:11:36 0119021 IP 10.10.1.253.51044 > 10.10.100.1.389 : proto TCP:
R 3947871165:3947871165(0) checksum : 50647
0x0000: 4500 0028 f55f 4000 3f06 cc5e 0a0a 01fd E..(._@.?..^....
0x0010: 0a0a 6401 c764 0185 eb4f bbbd 0000 0000 ..d..d...O......
0x0020: 5004 0000 c5d7 0000                      P.......
Date=2020-02-20 Time=20:11:36 log_id=0119021 log_type=Firewall log_component=IP_
Spoof log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=P
ort2 out_dev= inzone_id=2 outzone_id=0 source_mac= dest_mac= l3_protocol=IP sour
ce_ip=10.10.1.253 dest_ip=10.10.100.1 l4_protocol=TCP source_port=51044 dest_por
t=389 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn
_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=
0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id
=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmar
k=0x8001 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 c
tflags=0 connid=975732160 masterid=0 status=398 state=8 sent_pkts=N/A recv_pkts=
N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=
N/A tran_dst_port=N/A

Thank youn,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Thomas Delcampe over 4 years ago in reply to FormerMember

Hi,

Spoofing is already deactivated...

Here is a log :

2020-02-20 20:11:36 0119021 IP 10.10.1.253.51044 > 10.10.100.1.389 : proto TCP:
R 3947871165:3947871165(0) checksum : 50647
0x0000: 4500 0028 f55f 4000 3f06 cc5e 0a0a 01fd E..(._@.?..^....
0x0010: 0a0a 6401 c764 0185 eb4f bbbd 0000 0000 ..d..d...O......
0x0020: 5004 0000 c5d7 0000                      P.......
Date=2020-02-20 Time=20:11:36 log_id=0119021 log_type=Firewall log_component=IP_
Spoof log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=P
ort2 out_dev= inzone_id=2 outzone_id=0 source_mac= dest_mac= l3_protocol=IP sour
ce_ip=10.10.1.253 dest_ip=10.10.100.1 l4_protocol=TCP source_port=51044 dest_por
t=389 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn
_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=
0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id
=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmar
k=0x8001 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 c
tflags=0 connid=975732160 masterid=0 status=398 state=8 sent_pkts=N/A recv_pkts=
N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=
N/A tran_dst_port=N/A

Thank youn,
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data