topic Re: Proxy arp issue - automatic NAT rule in General Topics

Proxy arp issue - automatic NAT rule

carl_t — Thu, 30 Oct 2025 08:11:34 GMT

Hi All

We had an issues yesterday whereby we created a static NAT on the object but it didnt work.

We found that we needed to manually put the proxy arp entry on the gateway.

We have the global properties set to automatic arp configuration and merge manual proxy arp configuration set.

I thought that when doing automatic rules such as on the object you dont need to add it manually on the gateway? why would this not have worked ?

Cheers

Re: Proxy arp issue - automatic NAT rule

Don_Paterson — Thu, 30 Oct 2025 08:25:50 GMT

Automatic static NAT rules should add a proxy arp entry into the kernel running config.

The command to check it on the gateway/s after the policy installation is:

fw ctl arp

Was it a Host object and a standard configuration? Meaning nothing complicated, just a normal host static NAT.

Re: Proxy arp issue - automatic NAT rule

carl_t — Thu, 30 Oct 2025 08:28:56 GMT

Hi, yes it was a host object with the static NAT config applied, it only seemed to work if we added the manual proxy arp entry on Gaia.

If i removed the manual proxy arp entry and typed fw ctl arp, it was actually showing in there

Re: Proxy arp issue - automatic NAT rule

Chris_Atkinson — Thu, 30 Oct 2025 08:36:35 GMT

Did you install policy after making the change?

Was the mac-address the expected one for the given cluster member?

Re: Proxy arp issue - automatic NAT rule

carl_t — Thu, 30 Oct 2025 08:53:15 GMT

Hi Chris, yes and yes

Re: Proxy arp issue - automatic NAT rule

Don_Paterson — Thu, 30 Oct 2025 08:57:33 GMT

The automatic static NAT rule adds the proxy arp during policy install and as long as there are no typos then the expected behaviour is that the gateway/cluster 'takes responsibility' for the static NAT IP address. Meaning that it replies to the ARP WHO HAS with the interface in the relevant subnet.

If you double checked everything, which I am sure you did, and maybe some packet captures to see the behaviours on the network (looking for ARP WHO HAS and ARP IS AT), then it may be a problem with the software (bug).

The fact that it worked with a Gaia level proxy arp seems to point to a software of config error.

Sounds like one for TAC if you have done all the checks.

Re: Proxy arp issue - automatic NAT rule

Lesley — Thu, 30 Oct 2025 20:11:38 GMT

share screenshot to make sure no mistakes are made from the host object

Re: Proxy arp issue - automatic NAT rule

the_rock — Thu, 30 Oct 2025 23:06:26 GMT

Hey Carl,

I would agree with Don on this one. If you checked everything, TAC case sounds like the best idea at this point.