Screen OS

hello all,

i have a juniper ssg5 configured with 2 ISP's. One as primary and other as secondary. i'm getting IPSpoofing alerts from the secondary interface. The message is

IP spoofing! From 192.168.88.1 to 224.0.0.1, proto 2 (zone Untrust, int ethernet0/1). Occurred 1 times.

this is showing almost for every minute.

once my primary interface goes down secondary is not kicking up. It was working fine last week but since today it is not working.

Pls help

IP spoofing is just a way for the firewall to tell you that it's seeing traffic on an interface that shouldn't be seeing certain IP's (private addresses on the untrust interface), or for subnets it simply doesn't have a route to.  It appears that your untrust interface has a private IP and that upstream device  is sending out multicast requests (224.0.0.1).  You can easily turn off IP Spoofing on your untrust zone since it's just generating noise.

Hi,

I am having this exact same issue with an SSG5. I don't see turning off IP Spoofing protection on the Untrust interface as a solution though - are you not just leaving yourself unchecked now if you aren't running this on your inbound traffic from the untrust source? So what is the -real- answer to this false positive related to the ADSL modem that will allow for Untrust Spoof protection to be on without setting off message after message in the log about a 224 detection that is false?

Hi Envomni,

I would tend to agree and may be this link will explain why:

http://www.xs4all.nl/~rmeijer/spoofing.html

Gavrilo

Maybe a more sensible approach would be to limit the traffic at the boarder routers with access and prefix lists?

Just a thought.

Gavrilo