nerdexam
Check_Point

156-215.80 · Question #424

Which statement is TRUE of anti-spoofing?

The correct answer is C. It is BEST Practice to have anti-spoofing groups in sync with the routing table. Anti-spoofing relies on the routing table to determine which source addresses are valid per interface, so keeping them in sync is the core best practice.

Security Policy Management

Question

Which statement is TRUE of anti-spoofing?

Options

  • AAnti-spoofing is not needed when IPS software blade is enabled
  • BIt is more secure to create anti-spoofing groups manually
  • CIt is BEST Practice to have anti-spoofing groups in sync with the routing table
  • DWith dynamic routing enabled, anti-spoofing groups are updated automatically whenever there is

How the community answered

(25 responses)
  • A
    12% (3)
  • B
    4% (1)
  • C
    76% (19)
  • D
    8% (2)

Why each option

Anti-spoofing relies on the routing table to determine which source addresses are valid per interface, so keeping them in sync is the core best practice.

AAnti-spoofing is not needed when IPS software blade is enabled

IPS and anti-spoofing are independent security controls - IPS inspects payload threats while anti-spoofing validates source IP reachability, so disabling one does not replace the other.

BIt is more secure to create anti-spoofing groups manually

Manual creation introduces the risk of human error and topology drift, making it less reliable than keeping groups derived from or synchronized with the routing table.

CIt is BEST Practice to have anti-spoofing groups in sync with the routing tableCorrect

Anti-spoofing enforces that traffic arriving on a given interface can only originate from IP ranges reachable via that interface, exactly as defined in the routing table. If the anti-spoofing topology groups do not reflect the routing table, legitimate traffic can be dropped or spoofed traffic can pass. Keeping them synchronized ensures the enforcement logic matches actual network reachability.

DWith dynamic routing enabled, anti-spoofing groups are updated automatically whenever there is

Enabling dynamic routing does not cause anti-spoofing groups to update automatically - an administrator must manually update or reconfigure the topology groups when routing changes occur.

Concept tested: Check Point anti-spoofing topology synchronization with routing

Source: https://support.checkpoint.com/results/sk/sk175557

Topics

#anti-spoofing#routing table#best practices#interface topology

Community Discussion

No community discussion yet for this question.

Full 156-215.80 Practice