- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello!
Today I migrated a firewall-configuration from a SG80-Appliance to a 1450er-Appliance (configured everything manually, installed the latest firmware 07/2017). We have a lot of auto-static-nats configured there (are terminateing in the WAN-Interface). Just for clarification, the WAN-Inteface is configured with internal-ips (MPLS-Connection).
After activating the new appliance (same ips and static-nat-ips taken from the old SG80-Appliance) the static-nats did not work, because the old MAC-Addresses of the old SG80-Appliance were stored on the router's arp-table.
But the new MAC of the WAN-Interface was updated immediately. So it seems, that the Firewall does not send out gratuitous arp for static-nat-ips but only for its own IP on the WAN-Interface.
As I said, it was not a problem, but I only want to know, if this is a standard behaviour because today it was the very first time, I did not delete the arp-table for the nat-ips, do not know why.
Best regards
Martin
Hello Martin.
From the tests I made with a 1470 it seems it does not send gratuitous ARP. It will only respond to ARP requests.
This seems to be the standard behavior.
Hello!
Thank you for the test! I found a great command. With this command you can force the appliance to send out g-arps:
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind --> enable this "feature in the kernel"
arping -c 4 -A -I WAN 10.90.186.200 --> here the g-arp will be done for the WAN-Interface and for the IP 10.90.186.200
echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind --> disable this "feature in the kernel"
This works great
Martin
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY