This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Anthony_Kahwati
Collaborator
‎2021-01-28 03:47 AM

Manual NAT and local.arp file vs Automatic NAT

Hi all

We are about to do a migration / DC refresh and our current environment has NAT deployed by way of manual rules and amendment of the local.arp file per VS on a VSX cluster. This is fine, but as time goes on and as house-keeping gets forgotten about we need to log into every VS to check the local.arp file to make sure that an address is definitely not in use. 

In what situations should I use an automatic NAT object vs using manual NAT and the local.arp file?

Thanks

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-01-28 07:54 AM

I’d use manual NAT where an automatic NAT doesn’t cut it (more complex, conditional scenarios, or involving dynamic/updatable objects)
Automatic NAT for everything else.

Magnus-Holmberg
MVP Silver
MVP Silver
‎2021-01-28 10:36 AM

I would build with linknetworks and then route all the public ip ranges in to the VS so there is no need for local.arp entrys.

https://www.youtube.com/c/MagnusHolmberg-NetSec
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-01-28 01:19 PM
In response to Magnus-Holmberg

Definitely my preferred path, especially since it allows you to use the full address block. The old broadcast and new broadcast addresses (.0 and .255 in a /24) are only special in a broadcast domain. If it's not on an interface, it doesn't necessarily correspond to any broadcast domain, so you can use both for traffic endpoints. Matters a lot more for smaller blocks. In a /29, for example, it takes you from six usable addresses to eight.

Anthony_Kahwati
Collaborator
‎2021-01-29 10:37 AM
In response to Bob_Zimmerman

I get that it would be good to be able to use the whole range and route to the NAT's rather than be onlink with them but we are handed a public network from our ISP and they have 3 of those addresses, one of which is our default gateway. I didn't realise that you don't need the local.arp file if the NAT's are not onlink though so that's good. We do have a range at a site set up like this so I'll keep that in mind for the next NAT which is just about to be set up funnily enough!

Thanks for the feedback all.

0 Kudos
stallwoodj
Collaborator
Collaborator
‎2021-02-02 09:50 AM
In response to Anthony_Kahwati

I frequently come across deployments where manual NAT has been used with proxy ARP, and can invariably lead to trickiness when the version or hardware is replaced.

 

In those cases I usually create dummy objects which have automatic Hide NAT which creates interface proxy ARPs automatically without the need for external files or configs. These can be scripted in the Mgmt CLI as well, e.g.

 

add host name NAT_Dummy_30 ipv4-address 192.0.0.30 nat-settings.auto-rule true nat-settings.method hide nat-settings.hide-behind ip-address nat-settings.ipv4-address 8x.x.x.30 nat-settings.install-on ClusterName

 

Note that if you ever migrate your NAT interface, you MUST update the interface definitions in the firewall object topology. Unlike cluster IP's which are based on the subnet ID, proxy ARP uses the interface NAME. On clusters, make sure you update the interface name on both Members in the topology Advanced section!

 

Thanks

Jamie

Wolfgang
MVP Gold
MVP Gold
‎2021-02-02 12:19 PM
In response to Anthony_Kahwati

Have a look at this thread.

Proxy arp on VSX 

Wolfgang

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events