This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Duminda_lakmal
Participant
‎2023-01-04 08:45 PM

Know Deferent fw ctl arp and arp command

Hi,

 

I have general questions about the below,

we have enabled Object Static NAT for one internal server to access the internet and expose the internet internal services, not added proxy ARP and arp.local manual file. 

 

when I put fw ctl arp 

I can see NAT public IP and MAC in the list. its okay to show as normal.

but when i put expert mode #arp, it's showing incomplete.

 

we have configured more than 10 Objects the same as that (static object nat), but #arp only shows this incomplete entry. 

 

Kindly share your knowledge to understand, what is the deferent why it's incomplete.

 

Thank you,

Duminda Lakmal.

 

 

0 Kudos
8 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-01-04 09:08 PM

Is this a single gateway or cluster and are you running the commands on the active member?

Which gateway version and is the NAT working or not?

CCSM R77/R80/ELITE
0 Kudos
Duminda_lakmal
Participant
‎2023-01-04 10:41 PM
In response to Chris_Atkinson

Yes. This is Cluster. I ran this on Active Gateway. 

0 Kudos
Duminda_lakmal
Participant
‎2023-01-06 05:06 AM
In response to Chris_Atkinson

This is R80.20, NAT working fine. This is for my knowledge. 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-01-06 05:18 AM
In response to Duminda_lakmal

In early R80.20 JHF there were cosmetic differences between some ARP commands but not of this nature (sk112753).

Is this JHF T190 or higher?

 

Take 190 - Released on 28 February 2021 and declared as General Availability on 12 April 2021

PRJ-21242,PRHF-12746

Security Gateway: In rare scenarios, proxy ARP entries may be deleted when installing a policy.

 

Take 187 - Released on 17 November 2020

PRJ-13693,PMTR-55510

Security Gateway: Proxy arp change is applied only after the second policy installation.

 

*Note:  R80.20 is End of Support and upgrading is recommended.

CCSM R77/R80/ELITE
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-01-06 09:44 AM

If I'm understanding your description correctly, this is expected behavior. The firewall won't get its own ARP requests, so it won't respond to itself.

Normally, the firewall shouldn't be talking to an address which it translates. It should talk to the real address. What are you trying to do?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-01-06 02:51 PM
In response to Bob_Zimmerman

I assume the OP is trying to follow the likes of sk30197 which states:

To display the ARP Proxy table entries on the Security Gateway, use these commands in Expert mode:

 

[Expert@HostName:0]# fw ctl arp

[Expert@HostName:0]# fw ctl arp -n

[Expert@HostName:0]# arp -a

[Expert@HostName:0]# arp -e

CCSM R77/R80/ELITE
the_rock
MVP Platinum
MVP Platinum
‎2023-01-06 05:18 PM
In response to Chris_Atkinson

Thanks for pointing out all of them, I just always did fw ctl arp.

Best,
Andy
0 Kudos
Duminda_lakmal
Participant
‎2023-01-09 09:13 AM
In response to Chris_Atkinson

Thanks a lot for the clarification. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events