Thank you. sk114395 answer's what I was after.

Why the feature is not enable by default? For more security?

It's a change from the default behavior which people are accustomed to, thus why it is not the default.

We create the specific NAT rules but trying to configure the object will be interesting. Thank you Wolfgang!

Hi Wolfgang,

How do i validate the proxy arp has been created successfully after the below steps has been ?

Thanks 

Nirvs

Hi Wolfgang,

Will it work when Gateway external IP and NATED IP are from a different pool ??? I have tried to add the Proxy ARP entries as well but still unable to access the NATTEd server IP.

Please suggest.

Thanks,

CSR

If they are from a different Pool/Subnet you would need to create a route that points to the firewall. ARP is not enough in this case.

No -

You cant arp for a subnet that isnt attached to the actual interface. How would it route?

What are you trying to do?

Let say you real external interface IP is 10.10.10.2

Mac address of external interface is 00:AC:00:AC:00:AC

You are trying to use 20.20.20.2 a NAT IP for one of internal hosts.

So your local.arp should look like :

20.20.20.2 00:AC:00:AC:00:AC 10.10.10.2

In GAiA web UI you have a way to configure that 

To validate run fw ctl arp 

It depends on where the NAT IP address for manual static NAT comes from.

If they are "plucked" from an directly attached network adjacent to the firewall (such as the "dirty" segment between the firewall's external interface and the Internet perimeter router), a manual static proxy ARP must be created on the firewall.  If however the NAT address is taken from a separate subnet that is explicitly routed to the firewall over a transit network (such as the dirty segment) then proxy ARP is not required, as the Internet perimeter router must already have a static route for that separate NAT subnet and will send traffic bound for it directly to the firewall as the next hop.  

Honestly, I never see people having to do this regardless where traffic comes from. Many times, even TAC is confused whether it should be done or not...

I think I need some help as to 'if' a static ARP is going to be needed, after reading this. 
Here's my scenario (IP's and interfaces are made up)
I have a site to site VPN with traffic being both source and destination natted. The destination device 10.100.100.1 is on a valid network segment routed on the inside of the firewall on interface ETH1. 

Source device 202.15.15.1 this is source natted to 10.200.200.1
Destination 202.16.16.1 which is destination natted to 10.100.100.1

Traffic arrives to the cluster on interface ETH0. (207.195.233.1 cluster with .4 and .5 for the cluster members. The point to point VPN is operational and traffic is flowing - most of the time. 
My actual issue relates to the VPN not re-establishing when the cluster fails over to the secondary member. It has been suggested that proxy ARP entries are created as it might help. 
So my configuration would be:
add arp proxy ipv4-address 10.100.100.1 interface ETH0 real ipv4-address 207.195.233.4 (on member 1, and .5 on member 2).

Two questions then. 
1) do I have the configuration line correct in terms of the IP addresses to achieve the desired result, adding the natted destination address?
2) As the 10.100.100.1 network is valid and routed is the proxy arp actually needed?
Thanks Matt

ARP (proxy or otherwise) can only be configured for IP addresses on the same subnet.
Therefore, you can only do a proxy arp (meaning the gateway will respond to ARP requests for this IP address) if the address in question is on the same subnet as one of the firewall interfaces. 
Also, proxy arps in general are created automatically by the gateway when NAT rules are created.
One almost never has to actually create these anymore.

What you're describing sounds like an issue where other devices on the same subnet don't know which member currently has the VIP.
That sounds like issues related to gratuitous ARP: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
We send these by default on failover, but it sounds like other things on the network aren't updating their ARP tables in response (as they should).

Thank you for that most excellent response! I do think the issue is tied to GARP, though have been looking into all suggestions. I think I shall proceed through resolving the GARP issue first as opposed to doing both.