​Firewall/VPN

Routing and Anti-Spoofing

Module 4

Routing and Antispoofing

Routing and Antispoofing
Module Objectives
Upon completion of this module, you should be able to:

• Apply static routes to the NGFW

• Describe the use case for static source routing
• List at least three supported dynamic routing protocols
• Explain IP spoofing and the role of anti-spoofing

Routing and Antispoofing

Content
Module Topics

Static Routing

Routing Configuration

Special Routing Conditions

Policy Routing

Dynamic Routing Overview

Routing and Antispoofing

Static Routing
Defines next hop destination for packets that reach NGFW

?
?
?

?
NGFW FW/VPN

• Traffic reaches NGFW

• Routing dictates which interface the traffic leaves
based on the destination network

Routing and Antispoofing 4

Routing Configuration

Static Routing is created by

using the Routing Tools Pane
found in the routing area of the
Engine Editor
Routes to directly-connected
networks are configured
automatically

Routing and Antispoofing

Special Routing Conditions
Dynamic IP Address

Routing when a firewall has a dynamic IP address

Management connections are initiated from node with dynamic control
interface

Routing and Antispoofing

Special Routing Conditions
Policy Routing

Packets from specific source IP addresses are routed through a selected

gateway

Routing and Antispoofing

Dynamic Routing

Protocols
• IGMP proxy (RFC 4605)
• RIP version 1 (RFC 1058)
• RIP version 2 (RFC 2453)
• OSPF version 2 (RFC 2328)
• BGP version 4 (RFC 1771)
• PIM-SM (RFC 4601)
Single node or standby cluster
Local configuration through CLI
Route monitoring and configuration backup /
restore through Management Client
Route-based VPN for dynamic routing
protocol updates and multicast traffic

Routing and Antispoofing

Special Routing Conditions
Multicast Routing

Static IP multicast routing

• Relaying multicast traffic through
firewall in a controlled way
IGMP Proxy
• Multicast routing support through IGMP
Proxy
• Most useful method to support
“dynamic” multicast routing
Route-based VPN to let the multicast
traffic through the VPN

Routing and Antispoofing

Antispoofing

Eth1: Source Eth0: Source

192.168.1.23 192.168.1.23
Spoofed Packet  Legitimate Packet 
Discard Allow Protected
Internet Network

Attacker: Internal Host:

Real source IP : 142.12.1.50 Real source IP: 192.168.1.23
Spoofed source IP :
192.168.1.23

Routing and Antispoofing

Antispoofing Configuration

Antispoofing configuration is
generated automatically based on the
routing tree.
Can be adjusted manually if needed.

Routing and Antispoofing

Routing and Antispoofing
Review

What routes are created Routing and Antispoofing

automatically?
What special routing features does
the Firewall support?
Explain IP address spoofing attacks.
How is the Antispoofing
configuration generated?
Give an example of when you would
need to adjust the Antispoofing
configuration.
How do you define the default route?

Routing and Antispoofing

Lab 3: Routing and
Antispoofing

Goals:
• Define a Router
• Define a Static Default
Route
Estimated Time: 10-minutes
Please refer to the Lab Guide for lab
details

Routing and Antispoofing

Routing and Antispoofing