- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
Hi All
We had an issues yesterday whereby we created a static NAT on the object but it didnt work.
We found that we needed to manually put the proxy arp entry on the gateway.
We have the global properties set to automatic arp configuration and merge manual proxy arp configuration set.
I thought that when doing automatic rules such as on the object you dont need to add it manually on the gateway? why would this not have worked ?
Cheers
The automatic static NAT rule adds the proxy arp during policy install and as long as there are no typos then the expected behaviour is that the gateway/cluster 'takes responsibility' for the static NAT IP address. Meaning that it replies to the ARP WHO HAS with the interface in the relevant subnet.
If you double checked everything, which I am sure you did, and maybe some packet captures to see the behaviours on the network (looking for ARP WHO HAS and ARP IS AT), then it may be a problem with the software (bug).
The fact that it worked with a Gaia level proxy arp seems to point to a software of config error.
Sounds like one for TAC if you have done all the checks.
Automatic static NAT rules should add a proxy arp entry into the kernel running config.
The command to check it on the gateway/s after the policy installation is:
fw ctl arp
Was it a Host object and a standard configuration? Meaning nothing complicated, just a normal host static NAT.
Hi, yes it was a host object with the static NAT config applied, it only seemed to work if we added the manual proxy arp entry on Gaia.
If i removed the manual proxy arp entry and typed fw ctl arp, it was actually showing in there
Did you install policy after making the change?
Was the mac-address the expected one for the given cluster member?
Hi Chris, yes and yes
Hey Carl,
I would agree with Don on this one. If you checked everything, TAC case sounds like the best idea at this point.
The automatic static NAT rule adds the proxy arp during policy install and as long as there are no typos then the expected behaviour is that the gateway/cluster 'takes responsibility' for the static NAT IP address. Meaning that it replies to the ARP WHO HAS with the interface in the relevant subnet.
If you double checked everything, which I am sure you did, and maybe some packet captures to see the behaviours on the network (looking for ARP WHO HAS and ARP IS AT), then it may be a problem with the software (bug).
The fact that it worked with a Gaia level proxy arp seems to point to a software of config error.
Sounds like one for TAC if you have done all the checks.
share screenshot to make sure no mistakes are made from the host object
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 12 | |
| 10 | |
| 9 | |
| 7 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY