This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nilesh_Sonkusa1
Participant
‎2019-06-11 08:15 AM
Jump to solution

configure Proxy Arp on VSX cluster firewall

Hi Team ,

Can someone explain me how to configure Proxy Arp for  Static NAT Public IP on R80.10 VSX Cluster firewall .My Cluster is active passive mode .I am go through SK30197 but not understand .

1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
‎2019-06-11 10:31 AM
Jump to solution

Nilesh,

ther's another way to add a proxy arp entry to a gateway without configuring via the GAiA portal or close.

Add a host object with your external IP to your rulebase and configure automatic NAT (static). As NAT-IP use the same external IP, add the relevant gateway and do a policy install. With this host object the gateway adds an proxy arp entry to the the gateway.

proxy_arp1.PNGproxy_arp2.PNG

 

 

 

 

 

 

Wolfgang

View solution in original post

8 Replies
Maarten_Sjouw
Champion
Champion
‎2019-06-11 08:43 AM
Jump to solution

First thing you need to know is the mac address that is connected to the correct interface, you can find that by entering in expert mode (lets say you are working on VS5:
vsenv 5
cphaprob stat
ifconfig
From the last find the correct interface that belongs to the IP from the same network/subnet you want to add the proxy arp for.
Now go back to clish and enter the following commands:
set virtual-system 5
add arp proxy ipv4-address 10.10.10.20 macaddress 00:xx:xx:xx:xx:xx real-ipv4-address 10.10.10.1
Where 10.10.10.20 is the NAT IP you added and 10.10.10.1 is the IP on the interface. Once added push policy, but before you do, do not forget to check that the global NAT properties, 'merge manual proxy ARP configuration' is ticked.
Now check to see if it all works properly with:
fw ctl arp

Regards, Maarten
Wolfgang
Authority
Authority
‎2019-06-11 10:31 AM
Jump to solution

Nilesh,

ther's another way to add a proxy arp entry to a gateway without configuring via the GAiA portal or close.

Add a host object with your external IP to your rulebase and configure automatic NAT (static). As NAT-IP use the same external IP, add the relevant gateway and do a policy install. With this host object the gateway adds an proxy arp entry to the the gateway.

proxy_arp1.PNGproxy_arp2.PNG

 

 

 

 

 

 

Wolfgang

Clive_Overton-F
Explorer
‎2020-01-27 09:57 PM
In response to Wolfgang
Jump to solution

I am virtualizing a HA Cluster to a VSX Cluster and have been reading some documentation regarding PROXY ARP and VSX . One thing I would like to discuss is the relation between a proxy arp entry in clish and the local.arp file. I have to understand this better so that I can configure this in the new VSX enviroment.

This is taken from a normal HA cluster not a VSX!

local.arp - 193.45.59.11 00:1c:7f:63:e8:76 193.45.95.20

--------------------------------------------------------------------------------------------------

clish - add arp proxy ipv4-address 193.45.59.11 interface bond1 real-ipv4-address 193.45.95.20

If I have understood this post correctly I only have to add proxy arp on the vs and nothing in the local.arp file?

Sincerely

Clive Overton-Fox

Maarten_Sjouw
Champion
Champion
‎2020-02-04 01:12 PM
In response to Clive_Overton-F
Jump to solution

Clish commands overwrite the files in the background, like the add arp proxy will add an entry to local.arp
The main advantage of using clish instead of editing local files is that show configuration will show you that information without you needing to get into those pesky files.
Same goes for cronjobs, add cron in clish will add a line to crontab and you will see with crontab -l that the command you added in clish is properly added to the crontab.
Also in some companies you're not allowed to go into expert mode, thus making the access to local.arp very difficult.
Regards, Maarten
0 Kudos
genisis__
Mentor Mentor
Mentor
‎2022-05-30 02:07 PM
In response to Maarten_Sjouw
Jump to solution

I tried this and it did not work, I ended up creating a local.arp file on the VS, I used SK30197 as reference. This was done on a R80.40 VSX cluster.

 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2022-05-31 12:00 PM
In response to genisis__
Jump to solution

With VSX, you must use clish to configure proxy ARP entries for VS0 (this isn't common, but it is technically possible), and you must use local.arp for proxy ARP entries for any VS other than 0.

0 Kudos
genisis__
Mentor Mentor
Mentor
‎2022-05-31 12:30 PM
In response to Bob_Zimmerman
Jump to solution

Thanks Bob - I confirmed this with TAC today as well, I think Checkpoint should improve on this so that clish commands for proxy arp entries should also work on specific VS's (the commands are accepted).

 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2022-06-01 08:13 AM
In response to genisis__
Jump to solution

I'm the other way around. I can't stand clish, and would love to go back to local.arp for all proxy ARP entries on all VSs and on non-VSX firewalls.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events