I need help understanding a problem with Spoof Detection on Firewall-1 4.0 that appears to be rendering it worthless.
On an internal network we have a Firewall-1 4.0 box that has 12 dmz interfaces attached to it, each of them Class C networks that do not overlap. I tried to put spoof detection into effect on the firewall as follows:
1) Edited the Firewall-1 network object2) Selected each Interfaces tab and hit Edit button
3) For every interface except external, I specified valid addresses as "This Net"4) For the external interface, I specified "Others"
As soon as I install that policy, I see packets that should be allowed through the firewall get an accept on the incoming interface, and then get a reject on rule 0 as soon as they are passed to the interface with the server they are trying to reach. I researched this online and got this explanation:
A "reject" on Rule 0 typically means that an outgoing packet (one that has been accepted by your security policy and routed by the OS) is violating your anti-spoof rules because the packet is being routed out the wrong interface. If your Network Address Translation is misconfigured, you will often have problems with Anti-Spoofing.
This already concerns me a lot, because it implies that Firewall-1 has no way to distinguish a packet that has already passed through its security rules and NAT, from a packet that is incoming on an interface.
Can someone please give me an example of a valid NAT configuration that would allow spoof detection to work correctly, without causing the packets to be rejected on rule 0 when they get to the destination interface?
Further confusing me here, packets that are not having destination IPs modified by NAT are not triggering spoof detection. I don't see how the spoof detection can trigger when the packet gets to the dmz interface after being changed by NAT, but not triggered when there is no NAT. In both cases if the packet's source is a different network, then the Source IP won't be the same as the Valid Addresses that correspond to the Firewall-1 "This Net" spoof detection setting.