This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Peinsipp
Contributor
‎2018-07-17 09:23 AM

Gratuitous ARP static NAT, 1450-Appliance

Hello!

Today I migrated a firewall-configuration from a SG80-Appliance to a 1450er-Appliance (configured everything manually, installed the latest firmware 07/2017). We have a lot of auto-static-nats configured there (are terminateing in the WAN-Interface). Just for clarification, the WAN-Inteface is configured with internal-ips (MPLS-Connection).

After activating the new appliance (same  ips and static-nat-ips taken from the old SG80-Appliance) the static-nats did not work, because the old MAC-Addresses of the old SG80-Appliance were stored on the router's arp-table.

But the new MAC of the WAN-Interface was updated immediately. So it seems, that the Firewall does not send out gratuitous arp for static-nat-ips but only for its own IP on the WAN-Interface.

As I said, it was not a problem, but I only want to know, if this is a standard behaviour because today it was the very first time, I did not delete the arp-table for the nat-ips, do not know why. Smiley Happy

Best regards

Martin

2 Replies
Pedro_Espindola
Advisor
‎2018-07-19 01:38 PM

Hello Martin.

From the tests I made with a 1470 it seems it does not send gratuitous ARP. It will only respond to ARP requests.

This seems to be the standard behavior.

Martin_Peinsipp
Contributor
‎2018-07-19 11:38 PM

Hello!

Thank you for the test! I found a great command. With this command you can force the appliance to send out g-arps:

echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind --> enable this "feature in the kernel"

arping -c 4 -A -I WAN 10.90.186.200 --> here the g-arp will be done for the WAN-Interface and for the IP 10.90.186.200

 echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind --> disable this "feature in the kernel"

This works great

Martin

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events