This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-10-16 06:29 PM

Use of Proxy ARP

Hello, everyone.

Is the use of Proxy ARP mandatory in Check Point Firewalls?

According to the documentation and some materials I have found on the Internet, the use of Proxy ARP is usually related to the publications.

Is this mandatory on all architectures?

For example, if I publish a web service to the Internet, do I need to "focus" on the arp table of my publication?

Proxy ARP is directly related only to Manual NAT, right?

Cheers 🙂

0 Kudos
20 Replies
the_rock
Legend
Legend
‎2023-10-16 06:42 PM

I find not needed in R81+.

0 Kudos
Matlu
Advisor
‎2023-10-16 06:46 PM
In response to the_rock

What is the need to use Proxy ARP?

I have a client that has version R81.10 and has using this table.

Is it mandatory to use this table when I "want" to publish services to the Internet?

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 06:52 PM
In response to Matlu

If you Google cisco proxy arp explanation, its best on the Internet, in my opinion, but below sums it up well.

Andy

Let us consider the following scenario:

  1. Two networks (Network_A and Network_B) are separated by a Security Gateway (single Security Gateway or ClusterXL).

  2. On each network, there is a host (Host_A on Network_A, Host_B on Network_B).

  3. Let us assume, that Network_A represents the Internal network, and Network_B represents the External network.

  4. According to the existing standards, when Host_B needs to send data to Host_A, an ARP Request for the MAC address of Host_A will be sent by Host_B to Network_B.

    Since Host_A is located on another network, and the Security Gateway acts as a router, this ARP Request (sent to Broadcast address on Layer2) will not be forwarded by the Security Gateway from Network_B to Network_A.

    As a result, Host_B will not discover the MAC address of Host_A, and will not be able to send the data to Host_A.

    A standard solution, in such cases, is to configure the Security Gateway to act as Proxy ARP.

    The Security Gateway will pretend to be the Host in question. The Security Gateway will accept the ARP Requests and the Security Gateway will send its own MAC Address in ARP Reply. Then, when the data is received from the External network, the Security Gateway will forward the data to the relevant host on the Internal network.

https://support.checkpoint.com/results/sk/sk30197

0 Kudos
Matlu
Advisor
‎2023-10-17 03:39 AM
In response to the_rock

Buddy,

I find sense in your explanation and the documentation, but for "inbound" traffic (my company's publications, to the Internet, maybe).

But, have you ever used or seen anyone use a Proxy ARP entry for "Outbound" traffic (Surfing to the Internet from my LAN)?

I have come across a customer, who has in his ARP Table, added a line, with the VIP IP of his Cluster (IP with which his LAN surfs the Internet), but I don't find much sense in it.

If I delete that entry in the TABLE, they simply run out of Internet.

Does it make sense to use the Proxy ARP in the LAN -> WAN direction?

Cheers. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-10-17 03:48 AM
In response to Matlu

Yes but usually not the VIP itself rather if the hide NAT IP is on the same subnet as the External VIP is one such case.

Where possibly use routing rather than proxy-arp is my recommendation for reliability 

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor
‎2023-10-17 04:10 AM
In response to Chris_Atkinson

Hello,

In my case, the client has a public pool that is /27.

One of those publics is set as "VIP" of the External Cluster interface.

I have never seen ARP proxy configured in the LAN -> WAN direction, and that caused me doubts.

Is there any way to guarantee the LAN Internet service, if I remove the entry from the ARP Table?

Because we already tried it, and when we remove it, the LAN is without Internet.

0 Kudos
RS_Daniel
Advisor
‎2023-10-17 05:19 AM
In response to Matlu

Hello,

When you have a cluster, the active member replys to arp request for the VIP, so it is like a "implicit proxy arp" then you do not need to configure. The cluster knows which is the VIP based on the topology configuration on smartconsole, so if you need to create this proxy arp entry manually it seems to me that there is some misconfiguration on the cluster topology. Using this command "cphaprob -a if" do you see the cluster VIP on the external interface? are the members IP addresses on the same public network than the VIP?

Regards

0 Kudos
Matlu
Advisor
‎2023-10-17 02:49 PM
In response to RS_Daniel

Hello,

This is what I get from the command "cphaprob -a if".

The IP of the Cluster VIP is 38.43.131.133

This is the IP that is manually added in the ARP TABLE (Proxy ARP), and it is something that does not make much sense to me.

If I remove that entry from the ARP TABLE, the client is left without Internet.

Any idea "why" this happens?

Preview file
3 KB
0 Kudos
the_rock
Legend
Legend
‎2023-10-17 02:50 PM
In response to Matlu

Can you show the actual arp entry?

Andy

0 Kudos
Matlu
Advisor
‎2023-10-17 06:26 PM
In response to the_rock

Hello,

This is how it is currently observed, in each GW of the Cluster.

I attach it in a txt, so that it can be more understandable.

The Cluster VIP IP is the one ending in x.x.x.x.133, and for some strange reason, they configured it as another entry in the PROXY ARP.

If we delete this entry, the client will no longer have Internet.

We have found that when we delete the entry, the client can still ping public IPs, such as 8.8.8.8.8 or 1.1.1.1.1, but it no longer has DNS resolution.

Simply put, it can no longer "surf" to web pages.

Instead when you add the entry, where you put the IP of the VIP, the client has a full Internet service.

Preview file
2 KB
0 Kudos
the_rock
Legend
Legend
‎2023-10-17 06:35 PM
In response to Matlu

Ok, I get the whole picture now. But, here is the way I would approach this. I get its probably not possible without replicating it (meaning deleting that entry), but it would be interesting to see if they can access any webpages by an IP address when that ARP entry is deleted....ie, can they acess whatever IP www.google.com resolves to?

Also, keep in mind, it would be impossible for TAC to troubleshoot this, unless the issue is present during the call.

Andy

0 Kudos
Matlu
Advisor
‎2023-10-17 06:40 PM
In response to the_rock

No.

What we have validated, is that, when we remove the entry from the ARP TABLE (Proxy ARP)

Any PC on the LAN can still ping public IPs, such as 1.1.1.2 or 8.8.4.4.4, but what stops working is the DNS resolution itself.

That is, if the PC does a "ping facebook.com" or "ping yahoo.com", it simply does not resolve.

Obviously the pages don't load, and everyone runs around, shouting "I HAVE NO INTERNET" "THE INTERNET IS DOWN" 😂😅

I don't understand why that entry is configured there, and the worst thing is that when the GW restarts, well that line is deleted, and the "internet down" problem starts.

I have never seen such an entry, in the sense of LAN -> WAN.

0 Kudos
the_rock
Legend
Legend
‎2023-10-17 06:42 PM
In response to Matlu

I know...when people shout in Spanish, it sounds kind of funny lol

Anyway, my question was NOT about the ping, but can they access any site by an IP address?

Andy

0 Kudos
Matlu
Advisor
‎2023-10-17 06:56 PM
In response to the_rock

We have not been able to perform this test.

0 Kudos
the_rock
Legend
Legend
‎2023-10-17 07:07 PM
In response to Matlu

Here is logic behind why Im asking you that question. Say, for example, lets take simple home setup. Person says they cant access the Internet, but, if they can access any site by the IP it resolves to, then it 100% means its DNS issue. Same goes here...so I think it would be helpful to confirm that in the next window, that if customer is willing to let you troubleshoot.

Andy

0 Kudos
Matlu
Advisor
‎2023-10-17 07:52 PM
In response to the_rock

I would need to know the Public IP of any domain on the Internet.
Something I don't know now 😄

Suddenly you know the Public IP of https://<IP_Public_CheckPoint>, to do the test.

0 Kudos
the_rock
Legend
Legend
‎2023-10-17 08:00 PM
In response to Matlu

Bro, you are too funny 😂😂😂😂😂

Thats what nslookup command is for lol...even ping would give you an IP address, regardless if its successful or not.

nslookup google.com or any fqdn

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-17 04:33 AM
In response to Matlu

No buddy, in my 15 years dealing with CP, I had NEVER seen anyone use proxy arp for outbound connection.

Andy

0 Kudos
AmirArama
Employee
Employee
‎2023-10-17 09:16 PM
In response to Matlu

What is the subnet of the lan pc's? To which interface of the cluster are they connected?

What ip configured as their dns server? 

Can you add the gaia command for proxy arp from gaia clish 'show configuration' ? 

Thx

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-17 07:23 AM

Proxy ARP is only necessary if you are using an IP address on the same subnet as the firewall for NAT or similar.
If it a different subnet than the firewall, Proxy ARP is not necessary.
Automatic NAT rules will handle the Proxy ARP configuration.
Manual NAT rules may require additional Proxy ARP configuration.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events