Configuring Local addresses
Unlike the IP/IPv6 address configuration, the local address configuration is not used in the Global ACL policy. Instead, it is used by the Local Address Anti-spoofing rules configured on the Global Settings > Settings page. The anti-spoofing ACL leverages your knowledge of the local address space to prevent spoof attacks to and from local addresses.
You can enable one or more rules that consult the local address configuration:
• Inbound source must not be local address—Blocks inbound packets that have a source address inside the network. The source address is definitely spoofed.
• Inbound destination must be local address—Blocks inbound packets that do not have a destination in your network. The destination address is illegitimate.
• Outbound source must be local address—Blocks outbound packets with a spoofed address. Reduces the risk of your network being used in spoof attacks.
• Outbound destination must not be local-address—Blocks outbound packets with a destination inside your local network.
Information about packets denied by Local Address Anti-spoofing rules is reported in the following graphs and reports:
• Graphs (Monitor > ACL Drops > Layer 3, Monitor > Layer 3 > Address Denied)
• Executive Summary dashboard (Log & Report > Report Browse > Executive Summary)
• Reports (Log & Report > Report Configuration > Report Configuration)
Basic steps
1. Configure local addresses.
2. Enable Local Address Anti-spoofing rules.
Before you begin:
• You must have Read-Write permission for Global Settings.
To configure local addresses:
1. Go to Global Settings > Address > Local Address Config.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in
Table 20.
4. Save the configuration.
Table 19: Local address configuration
Settings | Guidelines |
Name | Configuration name. Must not contain spaces. |
IP-Netmask | Specify an address/mask pattern using CIDR notation. |