I am working on two new 1800 Quantum Spark nodes in HA mode.

On the DMZ interface I have created 3 VLANs which in turn are all added to the HA config with their own ip addresses.

DMZ.100 192.168.1.1/27

DMZ.200 192.168.1.32/29

DMZ.300 192.168.1.40/29

LAN18 10.0.0.1/24

I added a NAT on DMZ.100 for the following:

192.168.1.2:443 -> 10.0.0.50:443 

The checkbox set to on : 'Serve as an ARP Proxy for the original destination's IP address'

According to the documentation a Proxy Arp should be created automatically for ip 192.168.1.2, so the 1800 can respond to ARP requests for that ip address.

When I type 'show nat-rule position 1' I get the following:

index: 1
name: 3966
original-source: any
original-destination: NATTEST
original-service: HTTPS
translated-source:
translated-destination: TEST-HOST
translated-service: HTTPS
comment:
disabled: false
hide-sources: false
answerArpRequests: true
is-generated: false
owner-type:

As stated in the response, answerArpRequests: true, but the 1800 just won't reply to ARP requests.

Also 'fw ctl arp -n' does not show anything.

When I create a $FWDIR/conf/local.arp file on both nodes and add the correct ip/mac address combination, then the 1800 does respond to ARP requests on the NAT ip-address.

Now 'fw ctl arp -n' returns the mac address to which it should respond.

My question is: is this a known issue that I need to configure local.arp to get Proxy Arp working with VLAN tagged interfaces with our Quantum Spark 1800 R81.10.05 devices? Has anyone run into this problem? I would like to use the WebGUI to add NAT configuration and not want edit local files which might not survive firmware upgrades.

I found a lead to an old article at proxy-arp-vlan-tagging but that is for another type of Checkpoint, but might be related