https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-firewall-entries-in-Cisco-ARP-table/m-p/104384#M8247 <P>ClusterXL uses the same MAC unless you tell it to use a vMAC, VRRP however by default uses a vMAC, which type is defined by the command you add your VIP addresses with.</P> <P>These are the options to set the vMAC per VIP:</P> <TABLE class="tableintopic" border="1" width="606" cellspacing="0" cellpadding="2"> <TBODY> <TR align="left" valign="top"> <TD width="156"> <P class="tablebodytext"><CODE class="monospace">vmac-mode</CODE></P> </TD> <TD width="450"> <P class="tablebodytext"><STRONG class="menuoptions">VRRP</STRONG><SPAN>&nbsp;</SPAN>- Sets the VMAC to the format outlined in the VRRP protocol specification RFC 3768. It is automatically set to the same value on all Security Gateways in a Virtual Router. This is the default.</P> <P class="tablebodytext"><STRONG class="menuoptions">Interfac</STRONG>e - Sets the VMAC to the local interface MAC address. If you define this mode for the master and the backup, the VMAC is different for each. VRRP IP addresses are related to different VMACs because they are dependent on the physical interface MAC address of the current master.</P> <P class="tablebodytext"><STRONG class="menuoptions">Static</STRONG><SPAN>&nbsp;</SPAN>- Manually set the VMAC address. Enter the VMAC address after the<SPAN>&nbsp;</SPAN><CODE class="monospace">static-mac</CODE><SPAN>&nbsp;</SPAN>keyword.</P> <P class="listcontinue"><STRONG class="bold">Note</STRONG><SPAN>&nbsp;</SPAN>- If you configure different VMACs on the master and backup, you must make sure that you select the correct proxy ARP setting for NAT.</P> <P class="tablebodytext"><STRONG class="menuoptions">Extended</STRONG><SPAN>&nbsp;</SPAN>- Gaia dynamically calculates and adds three bytes to the interface MAC address to generate more random address. If you select this mode, Gaia constructs the same MAC address for master and backups in the Virtual Router.</P> <P class="listcontinue"><STRONG class="bold">Note</STRONG><SPAN>&nbsp;</SPAN>- If you set the VMAC mode to Interface or Static, syslog error messages show when you restart the computer or during failover. This is caused by duplicate IP addresses for the master and backup. This is expected behavior because the master and backups temporarily use the same virtual IP address until they get master and backup status.</P> </TD> </TR> </TBODY> </TABLE> <P>So it looks like your VRRP VIP for this interface has been set with the option vmac-mode interface.</P> <P>in clish do:</P> <P>show configuration mcvr</P> <P>This will show you all VIP commands.</P> <P>&nbsp;</P> Sun, 06 Dec 2020 06:57:48 GMT Maarten_Sjouw 2020-12-06T06:57:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-firewall-entries-in-Cisco-ARP-table/m-p/104382#M8245 <P>Hi everyone</P><P>&nbsp;</P><P>This is probably a simple one so apologies in advance. I have a Check Point 5800 HA cluster in a Data Centre and following some work on a Cisco Nexus, looked at the ARP table and saw the following for my firewalls:</P><P>&nbsp;</P><P>Internet 19.23.13.140 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP VRRP)<BR />Internet 19.23.13.141 0 001c.7f81.13a8 ARPA GigabitEthernet0/0/0 (CP 1 interface)<BR />Internet 19.23.13.142 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP 2 interface)</P><P>&nbsp;</P><P>Can someone tell me why CP2 MAC address is the same as CP VRRP? I was thinking that CP2 is acting as the master but would appreciate if this could be confirmed.</P><P>&nbsp;</P><P>Many thanks</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 06 Dec 2020 03:11:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-firewall-entries-in-Cisco-ARP-table/m-p/104382#M8245 ziggurat 2020-12-06T03:11:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-firewall-entries-in-Cisco-ARP-table/m-p/104383#M8246 <P>Depending on the configuration that seems…plausible.</P> Sun, 06 Dec 2020 05:00:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-firewall-entries-in-Cisco-ARP-table/m-p/104383#M8246 PhoneBoy 2020-12-06T05:00:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-firewall-entries-in-Cisco-ARP-table/m-p/104384#M8247 <P>ClusterXL uses the same MAC unless you tell it to use a vMAC, VRRP however by default uses a vMAC, which type is defined by the command you add your VIP addresses with.</P> <P>These are the options to set the vMAC per VIP:</P> <TABLE class="tableintopic" border="1" width="606" cellspacing="0" cellpadding="2"> <TBODY> <TR align="left" valign="top"> <TD width="156"> <P class="tablebodytext"><CODE class="monospace">vmac-mode</CODE></P> </TD> <TD width="450"> <P class="tablebodytext"><STRONG class="menuoptions">VRRP</STRONG><SPAN>&nbsp;</SPAN>- Sets the VMAC to the format outlined in the VRRP protocol specification RFC 3768. It is automatically set to the same value on all Security Gateways in a Virtual Router. This is the default.</P> <P class="tablebodytext"><STRONG class="menuoptions">Interfac</STRONG>e - Sets the VMAC to the local interface MAC address. If you define this mode for the master and the backup, the VMAC is different for each. VRRP IP addresses are related to different VMACs because they are dependent on the physical interface MAC address of the current master.</P> <P class="tablebodytext"><STRONG class="menuoptions">Static</STRONG><SPAN>&nbsp;</SPAN>- Manually set the VMAC address. Enter the VMAC address after the<SPAN>&nbsp;</SPAN><CODE class="monospace">static-mac</CODE><SPAN>&nbsp;</SPAN>keyword.</P> <P class="listcontinue"><STRONG class="bold">Note</STRONG><SPAN>&nbsp;</SPAN>- If you configure different VMACs on the master and backup, you must make sure that you select the correct proxy ARP setting for NAT.</P> <P class="tablebodytext"><STRONG class="menuoptions">Extended</STRONG><SPAN>&nbsp;</SPAN>- Gaia dynamically calculates and adds three bytes to the interface MAC address to generate more random address. If you select this mode, Gaia constructs the same MAC address for master and backups in the Virtual Router.</P> <P class="listcontinue"><STRONG class="bold">Note</STRONG><SPAN>&nbsp;</SPAN>- If you set the VMAC mode to Interface or Static, syslog error messages show when you restart the computer or during failover. This is caused by duplicate IP addresses for the master and backup. This is expected behavior because the master and backups temporarily use the same virtual IP address until they get master and backup status.</P> </TD> </TR> </TBODY> </TABLE> <P>So it looks like your VRRP VIP for this interface has been set with the option vmac-mode interface.</P> <P>in clish do:</P> <P>show configuration mcvr</P> <P>This will show you all VIP commands.</P> <P>&nbsp;</P> Sun, 06 Dec 2020 06:57:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-firewall-entries-in-Cisco-ARP-table/m-p/104384#M8247 Maarten_Sjouw 2020-12-06T06:57:48Z