This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2025-10-30 01:11 AM
Jump to solution

Proxy arp issue - automatic NAT rule

Hi All

We had an issues yesterday whereby we created a static NAT on the object but it didnt work.

We found that we needed to manually put the proxy arp entry on the gateway.

We have the global properties set to automatic arp configuration and merge manual proxy arp configuration set.

I thought that when doing automatic rules such as on the object you dont need to add it manually on the gateway? why would this not have worked ?

Cheers

0 Kudos
1 Solution

Accepted Solutions
Don_Paterson
MVP Gold
MVP Gold
‎2025-10-30 01:57 AM
In response to carl_t
Jump to solution

The automatic static NAT rule adds the proxy arp during policy install and as long as there are no typos then the expected behaviour is that the gateway/cluster 'takes responsibility' for the static NAT IP address. Meaning that it replies to the ARP WHO HAS with the interface in the relevant subnet.

If you double checked everything, which I am sure you did, and maybe some packet captures to see the behaviours on the network (looking for ARP WHO HAS and ARP IS AT), then it may be a problem with the software (bug).

The fact that it worked with a Gaia level proxy arp seems to point to a software of config error.

Sounds like one for TAC if you have done all the checks.

View solution in original post

7 Replies
Don_Paterson
MVP Gold
MVP Gold
‎2025-10-30 01:25 AM
Jump to solution

Automatic static NAT rules should add a proxy arp entry into the kernel running config. 

The command to check it on the gateway/s after the policy installation is:

fw ctl arp

Was it a Host object and a standard configuration? Meaning nothing complicated, just a normal host static NAT.

0 Kudos
carl_t
Contributor
‎2025-10-30 01:28 AM
In response to Don_Paterson
Jump to solution

Hi, yes it was a host object with the static NAT config applied, it only seemed to work if we added the manual proxy arp entry on Gaia.

If i removed the manual proxy arp entry and typed fw ctl arp, it was actually showing in there

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-10-30 01:36 AM
In response to carl_t
Jump to solution

Did you install policy after making the change?

Was the mac-address the expected one for the given cluster member?

CCSM R77/R80/ELITE
0 Kudos
carl_t
Contributor
‎2025-10-30 01:53 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris, yes and yes

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-30 04:06 PM
In response to carl_t
Jump to solution

Hey Carl,

I would agree with Don on this one. If you checked everything, TAC case sounds like the best idea at this point.

Best,
Andy
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-10-30 01:57 AM
In response to carl_t
Jump to solution

The automatic static NAT rule adds the proxy arp during policy install and as long as there are no typos then the expected behaviour is that the gateway/cluster 'takes responsibility' for the static NAT IP address. Meaning that it replies to the ARP WHO HAS with the interface in the relevant subnet.

If you double checked everything, which I am sure you did, and maybe some packet captures to see the behaviours on the network (looking for ARP WHO HAS and ARP IS AT), then it may be a problem with the software (bug).

The fact that it worked with a Gaia level proxy arp seems to point to a software of config error.

Sounds like one for TAC if you have done all the checks.

Lesley
MVP Gold
MVP Gold
‎2025-10-30 01:11 PM
Jump to solution

share screenshot to make sure no mistakes are made from the host object

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events