topic Re: Proxy ARP on GAIA in Firewall and Security Management

Proxy ARP on GAIA

Harpreet_Singh1 — Tue, 04 Jun 2019 09:19:35 GMT

Hi community, I've tried to google the topic but didn't find the answer.

The question is why it is required to add the entries to the Proxy ARP on GAIA to make the NAT work? Is there a possibility to enable dynamic arp so that no configuration is required to make an public IP reachable?

Thanks, Harpreet S.

Re: Proxy ARP on GAIA

PhoneBoy — Wed, 05 Jun 2019 01:43:21 GMT

If you use Automatic NAT rules, the Proxy ARPs will be created for you.
Manual NAT rules still require proxy ARPs to be created.
In R80.x, automatic ARPs for Manual Source NAT rules can be created but this is not enabled by default.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114395

Re: Proxy ARP on GAIA

Wolfgang — Wed, 05 Jun 2019 05:58:57 GMT

Harpreet,

ther's another way to add a proxy arp entry to a gateway without configuring via the GAiA portal.

Add a host object with your external IP to your rulebase and configure automatic NAT (static). As NAT-IP use the same external IP, add the relevant gateway and do a policy install. With this host object the gateway adds an proxy arp entry to the the gateway.

Wolfgang

Re: Proxy ARP on GAIA

Harpreet_Singh1 — Wed, 05 Jun 2019 08:36:39 GMT

Thank you. sk114395 answer's what I was after.

Why the feature is not enable by default? For more security?

Re: Proxy ARP on GAIA

Harpreet_Singh1 — Wed, 05 Jun 2019 08:39:25 GMT

We create the specific NAT rules but trying to configure the object will be interesting. Thank you Wolfgang!

Re: Proxy ARP on GAIA

PhoneBoy — Wed, 05 Jun 2019 19:58:14 GMT

It's a change from the default behavior which people are accustomed to, thus why it is not the default.

Re: Proxy ARP on GAIA

Nirvs — Sun, 31 May 2020 19:02:37 GMT

Hi Wolfgang,

How do i validate the proxy arp has been created successfully after the below steps has been ?

Thanks

Nirvs

Re: Proxy ARP on GAIA

Maarten_Sjouw — Mon, 01 Jun 2020 05:48:06 GMT

On the cli of the gateway type: fw clt arp

Re: Proxy ARP on GAIA

CSR — Thu, 11 Feb 2021 10:11:59 GMT

Hi Wolfgang,

Will it work when Gateway external IP and NATED IP are from a different pool ??? I have tried to add the Proxy ARP entries as well but still unable to access the NATTEd server IP.

Please suggest.

Thanks,

CSR

Re: Proxy ARP on GAIA

D_Schimanski — Thu, 11 Feb 2021 10:48:15 GMT

If they are from a different Pool/Subnet you would need to create a route that points to the firewall. ARP is not enough in this case.

Re: Proxy ARP on GAIA

JackPrendergast — Thu, 11 Feb 2021 12:51:24 GMT

No -

You cant arp for a subnet that isnt attached to the actual interface. How would it route?

What are you trying to do?

Re: Proxy ARP on GAIA

Alexander_Grois — Sat, 08 May 2021 02:35:57 GMT

Let say you real external interface IP is 10.10.10.2

Mac address of external interface is 00:AC:00:AC:00:AC

You are trying to use 20.20.20.2 a NAT IP for one of internal hosts.

So your local.arp should look like :

20.20.20.2 00:AC:00:AC:00:AC 10.10.10.2

In GAiA web UI you have a way to configure that

To validate run fw ctl arp

Re: Proxy ARP on GAIA

the_rock — Sat, 08 May 2021 20:52:01 GMT

I know this is an old post, but personally, I see LOTS of customers using manual static nats and we never had to do proxy arp either in clish or web GUI. Its possible this was more needed pre R80, but I dont see if often any more.

Re: Proxy ARP on GAIA

Timothy_Hall — Sun, 09 May 2021 02:09:02 GMT

It depends on where the NAT IP address for manual static NAT comes from.

If they are "plucked" from an directly attached network adjacent to the firewall (such as the "dirty" segment between the firewall's external interface and the Internet perimeter router), a manual static proxy ARP must be created on the firewall. If however the NAT address is taken from a separate subnet that is explicitly routed to the firewall over a transit network (such as the dirty segment) then proxy ARP is not required, as the Internet perimeter router must already have a static route for that separate NAT subnet and will send traffic bound for it directly to the firewall as the next hop.

Re: Proxy ARP on GAIA

the_rock — Sun, 09 May 2021 11:53:40 GMT

Honestly, I never see people having to do this regardless where traffic comes from. Many times, even TAC is confused whether it should be done or not...

Re: Proxy ARP on GAIA

nzmatto — Thu, 24 Jun 2021 05:25:12 GMT

I think I need some help as to 'if' a static ARP is going to be needed, after reading this.
Here's my scenario (IP's and interfaces are made up)
I have a site to site VPN with traffic being both source and destination natted. The destination device 10.100.100.1 is on a valid network segment routed on the inside of the firewall on interface ETH1.

Source device 202.15.15.1 this is source natted to 10.200.200.1
Destination 202.16.16.1 which is destination natted to 10.100.100.1

Traffic arrives to the cluster on interface ETH0. (207.195.233.1 cluster with .4 and .5 for the cluster members. The point to point VPN is operational and traffic is flowing - most of the time.
My actual issue relates to the VPN not re-establishing when the cluster fails over to the secondary member. It has been suggested that proxy ARP entries are created as it might help.
So my configuration would be:
add arp proxy ipv4-address 10.100.100.1 interface ETH0 real ipv4-address 207.195.233.4 (on member 1, and .5 on member 2).

Two questions then.
1) do I have the configuration line correct in terms of the IP addresses to achieve the desired result, adding the natted destination address?
2) As the 10.100.100.1 network is valid and routed is the proxy arp actually needed?
Thanks Matt

Re: Proxy ARP on GAIA

PhoneBoy — Thu, 24 Jun 2021 15:12:00 GMT

ARP (proxy or otherwise) can only be configured for IP addresses on the same subnet.
Therefore, you can only do a proxy arp (meaning the gateway will respond to ARP requests for this IP address) if the address in question is on the same subnet as one of the firewall interfaces.
Also, proxy arps in general are created automatically by the gateway when NAT rules are created.
One almost never has to actually create these anymore.

What you're describing sounds like an issue where other devices on the same subnet don't know which member currently has the VIP.
That sounds like issues related to gratuitous ARP: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120495
We send these by default on failover, but it sounds like other things on the network aren't updating their ARP tables in response (as they should).

Re: Proxy ARP on GAIA

nzmatto — Thu, 24 Jun 2021 21:52:03 GMT

Thank you for that most excellent response! I do think the issue is tied to GARP, though have been looking into all suggestions. I think I shall proceed through resolving the GARP issue first as opposed to doing both.