Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Suddenly receiving IP_SPOOF Violations in XG 210 from allowed source

Hello:

Yesterday I started seeing these IP_SPOOF violations from our remote site that is on the allowed list in the DNAT firewall rule. They are unable to connect or ping our DNAT devices setup behind the firewall. We can connect to them with out any problem. This happened after the latest update to the firewall (SFOS 20.0.2 MR-2-Build378). I have rebooted both firewalls (in Active-Passive cluster) as well as the switch that connects them. I have also rebooted to router that handles the external public IP addressing. I have never seen this before. Does anyone have any thought?

Thank you



Edited TAGs
[edited by: Erick Jan at 2:27 PM (GMT -7) on 27 Aug 2024]
Parents
  • As IPs are not seen correctly (obviously due to personal data hiding, GDPR perspective), I am guessing it's same public IP (65.x.x.x) from where ARP request is being seen from multiple interfaces like Port2/Port4/Port5. Could it be confirmed?

    If that's the case, it violates the reverse path check and would drop against IP SPOOFING if enabled.

    It looks there is some periphery switch which might be sending ARP requests on all ports of SFOS which is connected to it. 

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

Reply
  • As IPs are not seen correctly (obviously due to personal data hiding, GDPR perspective), I am guessing it's same public IP (65.x.x.x) from where ARP request is being seen from multiple interfaces like Port2/Port4/Port5. Could it be confirmed?

    If that's the case, it violates the reverse path check and would drop against IP SPOOFING if enabled.

    It looks there is some periphery switch which might be sending ARP requests on all ports of SFOS which is connected to it. 

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

Children
No Data