Dell Sonicwall - IP Spoof Detection

The Setup:
Sonicwall NSA 4500
X0 LAN
X1 ISP#1
X2 ISP#2
X3 SAN network
X4 ISP #3
x5 ISP #5

X1-2 are actually the same ISP, but just have a disjoint subnet with static IP's in compeltely different ranges.  These two interfaces connect to a small switch and up to the ISP (radio based)

x5 ISP #4 is business class cable for browsing the internet.  No static IPs.

X4 ISP #3 - New ISP via fiber with a ton of static IP's.  

Here's my issue.   Only on the new X4 (ISP #3) - Any time I setup a NAT (either 1-2-1 or port based) and my firewall rules, nothing works.  Went as far as directly attaching a laptop to the carrier's handoff and assigning a static IP and it works.  

After some looking around, I am getting
Intrusion prevention    IP Spoof Dropped   <source> <destiantion>  mac: <MAC of the carriers router>


I can resolve this by turning off IP spoof detection on the "hidden" daiag page - but I'd really a)Not like to have to do that b) Have this work as planned.  

Thoughts?
LVL 1
JamesonJendreasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi Jameson,

Generally an IP Spoof message in the logs means there is some sort of malicious attempts to access a network segment, but they can also occur when the SonicWALL one it discovers a serious networking anomoly or fault where one IP belonging to say network A is coming from network B (hence spoofing). This can result from unintentional configurations too such as erroneous routing, misconfigurations, packets sent from APIPA addresses, network loops, etc.

Regardless of the origin they should always be taken seriously, irradiated and remedied because whether created intentionally or unintentionally they can cause and manifest in undesirable outcomes which on the intentional side are nefarious attacks and on the unintentional side is connectivity problems/network downtime and even a complete network outage depending on the scenario.

In your case you have already troubleshot this down to NAT Rules - I'd venture to say there is a misconfiguration in the NAT Policy/ies also check your routes and verify them.

You could exclude the Carrier's router via its MAC address from IPS but I'd strongly encourage you to trace this and "root out" the origin that is causing this.

Exclude the MAC addresses in IPS under Configure IPS Settings.
1. Create Address Objects - Create an Address Objects for each MAC address of the carriers router.
2. Create Address Object Group - Create an Address Object Group named e.g. Exclusions for IPS and add the Address Objects to that group.
3. Configure IPS Services - Next go to Security Services > IPS and click Configure IPS Settings. Check Enable IPS Exclusion List and select Use Address Objects. Finally, select the newly created Address Object Group named e.g. Exclusions for IPS and click OK to save.

Let me know if you have any questions!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.