Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Harpreet_Singh1
Participant

Proxy ARP on GAIA

Jump to solution

Hi community, I've tried to google the topic but didn't find the answer.

The question is why it is required to add the entries to the Proxy ARP on GAIA to make the NAT work? Is there a possibility to enable dynamic arp so that no configuration is required to make an public IP reachable?

Thanks, Harpreet S.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
If you use Automatic NAT rules, the Proxy ARPs will be created for you.
Manual NAT rules still require proxy ARPs to be created.
In R80.x, automatic ARPs for Manual Source NAT rules can be created but this is not enabled by default.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

17 Replies
PhoneBoy
Admin
Admin
If you use Automatic NAT rules, the Proxy ARPs will be created for you.
Manual NAT rules still require proxy ARPs to be created.
In R80.x, automatic ARPs for Manual Source NAT rules can be created but this is not enabled by default.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Harpreet_Singh1
Participant

Thank you. sk114395 answer's what I was after.

Why the feature is not enable by default? For more security?

0 Kudos
PhoneBoy
Admin
Admin

It's a change from the default behavior which people are accustomed to, thus why it is not the default.

0 Kudos
Wolfgang
Mentor
Mentor

Harpreet,

ther's another way to add a proxy arp entry to a gateway without configuring via the GAiA portal.

Add a host object with your external IP to your rulebase and configure automatic NAT (static). As NAT-IP use the same external IP, add the relevant gateway and do a policy install. With this host object the gateway adds an proxy arp entry to the the gateway.

proxy_arp1.PNGproxy_arp2.PNG

 

 

 

 

 

 

Wolfgang

Harpreet_Singh1
Participant

We create the specific NAT rules but trying to configure the object will be interesting. Thank you Wolfgang!

0 Kudos
Nirvs
Explorer

Hi Wolfgang,

 

How do i validate the proxy arp has been created successfully after the below steps has been ?

 

Thanks 

 

Nirvs

 

0 Kudos
Maarten_Sjouw
Champion
Champion
On the cli of the gateway type: fw clt arp
Regards, Maarten
0 Kudos
CSR
Contributor

Hi Wolfgang,

Will it work when Gateway external IP and NATED IP are from a different pool ??? I have tried to add the Proxy ARP entries as well but still unable to access the NATTEd server IP.

Please suggest.

 

Thanks,

CSR

 

0 Kudos
D_Schimanski
Employee
Employee

If they are from a different Pool/Subnet you would need to create a route that points to the firewall. ARP is not enough in this case.

0 Kudos
JackPrendergast
Collaborator

No -

You cant arp for a subnet that isnt attached to the actual interface. How would it route?

 

What are you trying to do?

0 Kudos
Alexander_Grois
Explorer

Let say you real external interface IP is 10.10.10.2

Mac address of external interface is 00:AC:00:AC:00:AC

You are trying to use 20.20.20.2 a NAT IP for one of internal hosts.

So your local.arp should look like :

20.20.20.2 00:AC:00:AC:00:AC 10.10.10.2

In GAiA web UI you have a way to configure that 

 

To validate run fw ctl arp 

 

0 Kudos
the_rock
Champion
Champion

I know this is an old post, but personally, I see LOTS of customers using manual static nats and we never had to do proxy arp either in clish or web GUI. Its possible this was more needed pre R80, but I dont see if often any more.

0 Kudos
Timothy_Hall
Champion
Champion

It depends on where the NAT IP address for manual static NAT comes from.

If they are "plucked" from an directly attached network adjacent to the firewall (such as the "dirty" segment between the firewall's external interface and the Internet perimeter router), a manual static proxy ARP must be created on the firewall.  If however the NAT address is taken from a separate subnet that is explicitly routed to the firewall over a transit network (such as the dirty segment) then proxy ARP is not required, as the Internet perimeter router must already have a static route for that separate NAT subnet and will send traffic bound for it directly to the firewall as the next hop.  

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
the_rock
Champion
Champion

Honestly, I never see people having to do this regardless where traffic comes from. Many times, even TAC is confused whether it should be done or not...

0 Kudos
nzmatto
Participant

I think I need some help as to 'if' a static ARP is going to be needed, after reading this. 
Here's my scenario (IP's and interfaces are made up)
I have a site to site VPN with traffic being both source and destination natted. The destination device 10.100.100.1 is on a valid network segment routed on the inside of the firewall on interface ETH1. 

Source device 202.15.15.1 this is source natted to 10.200.200.1
Destination 202.16.16.1 which is destination natted to 10.100.100.1

Traffic arrives to the cluster on interface ETH0. (207.195.233.1 cluster with .4 and .5 for the cluster members. The point to point VPN is operational and traffic is flowing - most of the time. 
My actual issue relates to the VPN not re-establishing when the cluster fails over to the secondary member. It has been suggested that proxy ARP entries are created as it might help. 
So my configuration would be:
add arp proxy ipv4-address 10.100.100.1 interface ETH0 real ipv4-address 207.195.233.4 (on member 1, and .5 on member 2).

Two questions then. 
1) do I have the configuration line correct in terms of the IP addresses to achieve the desired result, adding the natted destination address?
2) As the 10.100.100.1 network is valid and routed is the proxy arp actually needed?
Thanks Matt


0 Kudos
PhoneBoy
Admin
Admin

ARP (proxy or otherwise) can only be configured for IP addresses on the same subnet.
Therefore, you can only do a proxy arp (meaning the gateway will respond to ARP requests for this IP address) if the address in question is on the same subnet as one of the firewall interfaces. 
Also, proxy arps in general are created automatically by the gateway when NAT rules are created.
One almost never has to actually create these anymore.

What you're describing sounds like an issue where other devices on the same subnet don't know which member currently has the VIP.
That sounds like issues related to gratuitous ARP: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
We send these by default on failover, but it sounds like other things on the network aren't updating their ARP tables in response (as they should).

0 Kudos
(1)
nzmatto
Participant

Thank you for that most excellent response! I do think the issue is tied to GARP, though have been looking into all suggestions. I think I shall proceed through resolving the GARP issue first as opposed to doing both. 

0 Kudos