topic Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT in Hyperscale Firewall (Maestro)

Maestro + VSX - Proxy ARP behavior when using Automatic NAT

OriN — Tue, 10 Mar 2026 17:04:55 GMT

Hello,

I'm working in a Check Point environment that uses VSX running on Maestro, and I have a question regarding Automatic NAT and Proxy ARP behavior.

When creating an object in SmartConsole, there is an option to enable Automatic NAT and select "Hide behind IP address", which automatically creates the NAT rule.

However, after enabling this option, when I check the Proxy ARP table on the gateway, I do not see any entry for the NAT IP.

Should Proxy ARP be created automatically when using Automatic NAT with "Hide behind IP address"?

Or do I need to configure Proxy ARP manually for these addresses?

Does the behavior change in VSX environments or when using Maestro?

Any clarification or official documentation references would be appreciated.

Thank you.

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

Lesley — Tue, 10 Mar 2026 17:35:41 GMT

Hide behind IP address is what I suspect the IP of the firewall itself, so then you do not need to proxy arp because the firewall ''owns'' this IP.

If you want you create proxy arp there is a special procedure for VSX + Maestro. You have to change this in gclish and in the correct VS. (Not vs0). After that the arp file will only be on the SMO and needs to be copied to the other gateways in the sec group.

These steps you can find here, check this https://support.checkpoint.com/results/sk/sk30197

Under section:

Procedures

Procedure for Scalable Platforms (Maestro / Scalable Chassis / ElasticXL)

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

emmap — Wed, 11 Mar 2026 00:08:18 GMT

If the IP that you're NAT'ing behind is not the gateway itself but is an IP from a directly connected subnet then you should see it when you move to that VS context and look at 'fw ctl arp'. yes.

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

OriN — Wed, 11 Mar 2026 12:33:21 GMT

As shown in the screenshots I attached:

The object is created with Automatic NAT ("Hide behind IP address").

The automatic NAT rule is created in the policy.

I switched to the relevant VS context and ran "fw ctl arp".

However, the "fw ctl arp" output does not show any entry for the NAT IP.

Am I missing any additional step, or should the Proxy ARP entry be created automatically in this case?

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

Chris_Atkinson — Wed, 11 Mar 2026 13:29:29 GMT

Have you installed policy after configuring the NAT?

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

OriN — Wed, 11 Mar 2026 13:49:11 GMT

Yes, the policy was installed after configuring the NAT.

The screenshots were taken after the policy installation, and I also switched to the relevant VS context before running "fw ctl arp".

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

emmap — Thu, 12 Mar 2026 01:37:49 GMT

Is the IP you are NAT'ing behind in the same subnet as one of the gateway's interface IPs?

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

Wolfgang — Thu, 12 Mar 2026 07:28:07 GMT

As @emmap wrote... If the NAT'ing IP is not in the same subnet as the interfaces IP there is no need for a proxy ARP entry. The packets are sent with the NAT'ing IP as source and if the answer get routed back to your gateway they are doing NAT to the real IP. No need for proxy, only NAT and routing.

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

OriN — Thu, 12 Mar 2026 09:19:23 GMT

No, the IP I'm NAT'ing behind is not in the same subnet as any of the gateway interface IPs.

However, I also tested using an IP from the same subnet as one of the gateway interfaces, and the output still did not show any entry for that IP.

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

Chris_Atkinson — Thu, 12 Mar 2026 11:02:13 GMT

In this case we rely on routing for packets to arrive to the firewall not proxy-ARP.

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

OriN — Thu, 12 Mar 2026 11:02:43 GMT

I initially misunderstood your answer, but now I understand what you meant.
Thanks.

Re: Maestro + VSX - Proxy ARP behavior when using Automatic NAT

emmap — Fri, 13 Mar 2026 10:37:52 GMT

OK yea, if the IP is not part of an interface subnet it definitely won't proxy ARP, as it wouldn't be a valid configuration. If the NAT IP is part of the interface subnet and it's not there after you install policy then.. not sure, would have to investigate more.