This week we had some clusters upgraded from R80.10 to R80.30, the customer wants the new and improved HTTPS functionality.
When we were done, on 2 VRRP clusters we had some automatic NAT and a special Hide NAT (for WiFi guests) After upgrading you install the policy twice, first the acces and then again for the Threat Prevention policy.
After some time we were told the Guest WiFi did not work, investigation pointed in the end to the proxy ARP that was not active, so we added the Proxy ARP command for the Hide address, pushed the access policy (the third time). After looking with fw ctl arp we then saw 2 Proxy ARP addresses, the one we added and the other was a automatic NAT.
After removing the manual Proxy ARP again, the fw ctl arp kept showing both ARP entries.
When we upgraded the other cluster we checked again after 1, 2 and 3 pushes of the access policy and only after the third push the Proxy ARP addresses showed up.
It has been reported and R&D will be informed.