topic Re: configure Proxy Arp on VSX cluster firewall in Firewall and Security Management

configure Proxy Arp on VSX cluster firewall

Nilesh_Sonkusa1 — Tue, 11 Jun 2019 15:15:23 GMT

Hi Team ,

Can someone explain me how to configure Proxy Arp for Static NAT Public IP on R80.10 VSX Cluster firewall .My Cluster is active passive mode .I am go through SK30197 but not understand .

Re: configure Proxy Arp on VSX cluster firewall

Maarten_Sjouw — Tue, 11 Jun 2019 15:43:10 GMT

First thing you need to know is the mac address that is connected to the correct interface, you can find that by entering in expert mode (lets say you are working on VS5:
vsenv 5
cphaprob stat
ifconfig
From the last find the correct interface that belongs to the IP from the same network/subnet you want to add the proxy arp for.
Now go back to clish and enter the following commands:
set virtual-system 5
add arp proxy ipv4-address 10.10.10.20 macaddress 00:xx:xx:xx:xx:xx real-ipv4-address 10.10.10.1
Where 10.10.10.20 is the NAT IP you added and 10.10.10.1 is the IP on the interface. Once added push policy, but before you do, do not forget to check that the global NAT properties, 'merge manual proxy ARP configuration' is ticked.
Now check to see if it all works properly with:
fw ctl arp

Re: configure Proxy Arp on VSX cluster firewall

Wolfgang — Tue, 11 Jun 2019 17:31:26 GMT

Nilesh,

ther's another way to add a proxy arp entry to a gateway without configuring via the GAiA portal or close.

Add a host object with your external IP to your rulebase and configure automatic NAT (static). As NAT-IP use the same external IP, add the relevant gateway and do a policy install. With this host object the gateway adds an proxy arp entry to the the gateway.

Wolfgang

Re: configure Proxy Arp on VSX cluster firewall

Clive_Overton-F — Tue, 28 Jan 2020 05:57:31 GMT

I am virtualizing a HA Cluster to a VSX Cluster and have been reading some documentation regarding PROXY ARP and VSX . One thing I would like to discuss is the relation between a proxy arp entry in clish and the local.arp file. I have to understand this better so that I can configure this in the new VSX enviroment.

This is taken from a normal HA cluster not a VSX!

local.arp - 193.45.59.11 00:1c:7f:63:e8:76 193.45.95.20

--------------------------------------------------------------------------------------------------

clish - add arp proxy ipv4-address 193.45.59.11 interface bond1 real-ipv4-address 193.45.95.20

If I have understood this post correctly I only have to add proxy arp on the vs and nothing in the local.arp file?

Sincerely

Clive Overton-Fox

Re: configure Proxy Arp on VSX cluster firewall

Maarten_Sjouw — Tue, 04 Feb 2020 21:12:01 GMT

Clish commands overwrite the files in the background, like the add arp proxy will add an entry to local.arp
The main advantage of using clish instead of editing local files is that show configuration will show you that information without you needing to get into those pesky files.
Same goes for cronjobs, add cron in clish will add a line to crontab and you will see with crontab -l that the command you added in clish is properly added to the crontab.
Also in some companies you're not allowed to go into expert mode, thus making the access to local.arp very difficult.

Re: configure Proxy Arp on VSX cluster firewall

genisis__ — Mon, 30 May 2022 21:07:49 GMT

I tried this and it did not work, I ended up creating a local.arp file on the VS, I used SK30197 as reference. This was done on a R80.40 VSX cluster.

Re: configure Proxy Arp on VSX cluster firewall

Bob_Zimmerman — Tue, 31 May 2022 19:00:10 GMT

With VSX, you must use clish to configure proxy ARP entries for VS0 (this isn't common, but it is technically possible), and you must use local.arp for proxy ARP entries for any VS other than 0.

Re: configure Proxy Arp on VSX cluster firewall

genisis__ — Tue, 31 May 2022 19:30:47 GMT

Thanks Bob - I confirmed this with TAC today as well, I think Checkpoint should improve on this so that clish commands for proxy arp entries should also work on specific VS's (the commands are accepted).

Re: configure Proxy Arp on VSX cluster firewall

Bob_Zimmerman — Wed, 01 Jun 2022 15:13:17 GMT

I'm the other way around. I can't stand clish, and would love to go back to local.arp for all proxy ARP entries on all VSs and on non-VSX firewalls.

Re: configure Proxy Arp on VSX cluster firewall

Matlu — Thu, 20 Nov 2025 14:48:50 GMT

Hello @Bob_Zimmerman
In a VSX cluster in VSLS mode, when you add an entry in local.arp, does it have to be done on both members of the cluster?
Thank you.

Re: configure Proxy Arp on VSX cluster firewall

Wolfgang — Thu, 20 Nov 2025 15:05:03 GMT

@Matlu yes, you have to change this on all cluster members. But you can configure "proxy arp" from Smartconsole following

Add a host object with your needed proxy arp IP to your rulebase and configure automatic NAT (static). As NAT-IP use the same external IP, add the relevant gateway and do a policy install. With this host object the gateway adds an proxy arp entry to the gateway. You can check this with "fw ctl arp" on the gateway. If the "Install on gateway" is a cluster the entry is changed on all members.

Re: configure Proxy Arp on VSX cluster firewall

Matlu — Thu, 20 Nov 2025 15:55:31 GMT

Hello,

I have “encountered” a reality that differs from “best practices” in this legacy architecture.
The VS does not have any PROXY ARP entries configured with the command:
add arp proxy ipv4-address 1.2.3.4 macaddress 00:xx:xx:xx:xx:xx real-ipv4-address 190.90.90.90
And they haven't used the option to use an object from the SmartConsole either.
The only thing that makes sense is that they were previously creating PROXY ARP entries but editing the VS local.arp file.

This also works fine, right?
I mean modifying the local.arp file from the CLI.

Re: configure Proxy Arp on VSX cluster firewall

Wolfgang — Thu, 20 Nov 2025 16:07:33 GMT

Sure @Matlu modifying local.arp in context of the VS will work, see sk30197 - Configuring Proxy ARP for Manual NAT section "Procedure for the Traditional VSX mode - context of any Virtual System, other than VS0 (VSX itself)"

Re: configure Proxy Arp on VSX cluster firewall

genisis__ — Thu, 20 Nov 2025 20:38:25 GMT

One thing to note, ensure you use the mac of the virtual interface in the VS if its the interface leading to the internet, so in affect the mac used on both nodes is the same (I've done this in R82 and it works fine)