This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
OriN
Participant
‎2026-03-10 10:04 AM
Jump to solution

Maestro + VSX - Proxy ARP behavior when using Automatic NAT

Hello,

I'm working in a Check Point environment that uses VSX running on Maestro, and I have a question regarding Automatic NAT and Proxy ARP behavior.

When creating an object in SmartConsole, there is an option to enable Automatic NAT and select "Hide behind IP address", which automatically creates the NAT rule.

However, after enabling this option, when I check the Proxy ARP table on the gateway, I do not see any entry for the NAT IP.

 

 

Should Proxy ARP be created automatically when using Automatic NAT with "Hide behind IP address"?

Or do I need to configure Proxy ARP manually for these addresses?

Does the behavior change in VSX environments or when using Maestro?

 

Any clarification or official documentation references would be appreciated.

Thank you.

 

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
MVP Gold
MVP Gold
‎2026-03-12 12:27 AM
In response to emmap
Jump to solution

As @emmap wrote... If the NAT'ing IP is not in the same subnet as the interfaces IP there is no need for a proxy ARP entry.  The packets are sent with the NAT'ing IP as source and if the answer get routed back to your gateway they are doing NAT to the real IP. No need for proxy, only NAT and routing.

View solution in original post

11 Replies
Lesley
MVP Gold
MVP Gold
‎2026-03-10 10:35 AM
Jump to solution

Hide behind IP address is what I suspect the IP of the firewall itself, so then you do not need to proxy arp because the firewall ''owns'' this IP.

If you want you create proxy arp there is a special procedure for VSX + Maestro. You have to change this in gclish and in the correct VS. (Not vs0). After that the arp file will only be on the SMO and needs to be copied to the other gateways in the sec group.

These steps you can find here, check this https://support.checkpoint.com/results/sk/sk30197

Under section: 

Procedures

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-10 05:08 PM
Jump to solution

If the IP that you're NAT'ing behind is not the gateway itself but is an IP from a directly connected subnet then you should see it when you move to that VS context and look at 'fw ctl arp'. yes.

0 Kudos
OriN
Participant
‎2026-03-11 05:33 AM
In response to emmap
Jump to solution

As shown in the screenshots I attached:

The object is created with Automatic NAT ("Hide behind IP address").

The automatic NAT rule is created in the policy.

I switched to the relevant VS context and ran "fw ctl arp".

However, the "fw ctl arp" output does not show any entry for the NAT IP.

 

Am I missing any additional step, or should the Proxy ARP entry be created automatically in this case?

Preview file
8 KB
Preview file
15 KB
Preview file
14 KB
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2026-03-11 06:29 AM
In response to OriN
Jump to solution

Have you installed policy after configuring the NAT?

CCSM R77/R80/ELITE
0 Kudos
OriN
Participant
‎2026-03-11 06:49 AM
In response to Chris_Atkinson
Jump to solution

Yes, the policy was installed after configuring the NAT.

The screenshots were taken after the policy installation, and I also switched to the relevant VS context before running "fw ctl arp".

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-11 06:37 PM
In response to OriN
Jump to solution

Is the IP you are NAT'ing behind in the same subnet as one of the gateway's interface IPs?

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2026-03-12 12:27 AM
In response to emmap
Jump to solution

As @emmap wrote... If the NAT'ing IP is not in the same subnet as the interfaces IP there is no need for a proxy ARP entry.  The packets are sent with the NAT'ing IP as source and if the answer get routed back to your gateway they are doing NAT to the real IP. No need for proxy, only NAT and routing.

OriN
Participant
‎2026-03-12 04:02 AM
In response to Wolfgang
Jump to solution

I initially misunderstood your answer, but now I understand what you meant.
Thanks.

0 Kudos
OriN
Participant
‎2026-03-12 02:17 AM
In response to emmap
Jump to solution

No, the IP I'm NAT'ing behind is not in the same subnet as any of the gateway interface IPs.

However, I also tested using an IP from the same subnet as one of the gateway interfaces, and the output still did not show any entry for that IP.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2026-03-12 02:39 AM
In response to OriN
Jump to solution

In this case we rely on routing for packets to arrive to the firewall not proxy-ARP.

CCSM R77/R80/ELITE
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-13 03:37 AM
In response to OriN
Jump to solution

OK yea, if the IP is not part of an interface subnet it definitely won't proxy ARP, as it wouldn't be a valid configuration. If the NAT IP is part of the interface subnet and it's not there after you install policy then.. not sure, would have to investigate more.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events