If you run "tcpdump -eni eth8 arp" from expert mode, are you seeing an inbound ARP request for 85.21.100.105 from your perimeter router?

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

There are queries, no answers

17:12:15.468575 6c:c2:17:78:7c:2a > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 85.21.100.105 tell 85.21.100.112 - my test PC

17:12:16.384090 d4:6d:50:6b:c5:61 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 85.21.100.105 tell 85.21.100.97

17:12:16.468832 6c:c2:17:78:7c:2a > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 85.21.100.105 tell 85.21.100.112

17:12:24.468699 6c:c2:17:78:7c:2a > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 85.21.100.105 tell 85.21.100.112

I'm suspecting that the firewall object topology definition for eth8 does not match the underlying Gaia interface configuration.  Please provide a screenshot of eth8's topology in the SmartConsole, and the output from following expert mode commands:

ifconfig eth8

fw stat

arp -an | grep 85.21.100.

netstat -rn | grep 85.21.100.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

ifconfig eth8
eth8 Link encap:Ethernet HWaddr 00:1C:7F:83:B7:7F 
inet addr:85.21.100.111 Bcast:85.21.100.127 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60326 errors:0 dropped:0 overruns:0 frame:0
TX packets:42250 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 
RX bytes:34872545 (33.2 MiB) TX bytes:10041607 (9.5 MiB)

 fw stat
HOST POLICY DATE 
localhost CO_test 9Oct2017 15:45:59 : [^eth1] [^eth1] [^eth8] [^eth8]

arp -an ^ grep 85.21.100.
? (85.21.100.97) at D4:6D:50:6B:C5:61 [ether] on eth8

netstat -rn ^ grep 85.21.100.
85.21.100.96 0.0.0.0 255.255.255.224 U 0 0 0 eth8
0.0.0.0 85.21.100.97 0.0.0.0 UGD 0 0 0 eth8

Well everything looks correct here, has anything in the config of the underlying Gaia eth8 interface been changed on the fly at all since the last boot? Try tcpdump again, but this time with the -p option to suppress promiscuous mode as shown below, do you still see the ARP requests for 85.21.100.105 coming in:

tcpdump -p -eni eth8 arp

If you don't seem them coming in any more it is a network problem.  If you do still see them coming in, try running

fw ctl zdebug drop

Is it logging any kind of drop or other difficulty handling ARP in the zdebug?

Next try reinstalling policy, then try this next from expert mode:

ifdown eth8;ifup eth8

If that still doesn't work only thing I can suggest at this point is a reboot, lame as that sounds.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Very interesting, this firewall is not a cluster

;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=-1 ?:0 -> ?:0 dropped by fwha_process_incoming_arp Reason: The packet is designated to an ip address that is proxied, but I'm not an active member

Yes, you were right! I disabled clustering - the proxy arp earned. It's great, thanks a lot, excellent troubleshooting!!!

Glad to hear, as it turns out there is actually a SK documenting this that I'll link here for future reference:

sk34453: Automatic Static NAT does not work on Security Gateway

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

These are the highest rules, there is nowhere to go