About Spoofing Attacks
One method that attackers use to enter your network is to make an electronic false identity. This is an IP spoofing method that attackers use to send a TCP/IP packet with a different IP address than the computer that first sent it.
If you enable the global Drop Spoofing Attacks setting on your Firebox, the Firebox verifies the source IP address of a packet is from a network on the specified interface. The default configuration of the Firebox is to drop spoofing attacks.
About IP Spoofing Verification
Fireware v12.9 or higher
Fireware v12.9 or higher simplifies how the Firebox handles IP spoofing checks.
When a Firebox interface receives an incoming connection initiated by a remote Firebox, the Firebox runs an IP spoofing check on that interface. To determine whether an incoming connection is spoofed or not, the Firebox initiates a reverse route lookup.
For internal and BOVPN virtual interfaces
- The Firebox looks up the route with the source IP address.
- If a route exists for that interface, the route lookup succeeds, which means IP spoofing verification passes and the Firebox allows the connection.
- If no route is associated with the interface, the route lookup fails. This means the IP spoofing verification fails, and the Firebox denies the incoming connection.
For external interfaces
- The Firebox looks up the route without a source IP address.
- If the route lookup determines the route is on the same interface, IP spoofing verification passes, and the Firebox allows the traffic.
- If the route lookup determines the output interface is different than the incoming interface, but the route is a default route, IP spoofing verification passes, and the Firebox allows the traffic.
- In this case, the source IP of the traffic can be reached through multiple paths, but the traffic still travels back through the same interface. If the route lookup determines the route is on a different interface, and the route is not a default route, IP spoofing verification fails, and the Firebox denies the incoming connection.
With this IP spoofing check behavior change in Fireware v12.9 and higher, the Firebox drops traffic sourced from a second External interface as a spoofing attack. In multi-WAN environments, inbound connections from IP addresses in the subnet range of one external interface will be dropped as IP spoofing if received on any other external interface. Review your routing and the subnet masks assigned to external interfaces. Note that these spoofing checks also apply to BOVPN virtual interfaces. If you do not have BOVPN virtual interface IP addresses configured, the traffic appears to come from the public IP of the remote endpoint. For more information about this change in spoofing check behavior and workarounds for these issues, go to the WatchGuard Knowledge Base.
Fireware v12.8.x or lower
In Fireware v12.8.x or lower, IP spoofing verification works differently and does not apply to BOVPN virtual interfaces. For information about how the global Drop Spoofing Attacks setting can affect SD-WAN actions, go to SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel.
Configure IP Spoofing Verification
To protect against spoofing attacks, from Fireware Web UI:
- Select Firewall > Default Packet Handling.
The Default Packet Handling page appears.
- Select or clear the Drop Spoofing Attacks check box.
- Click Save.
To protect against spoofing attacks, from Policy Manager:
- Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
- Select or clear the Drop Spoofing Attacks check box.
- Click OK.