Configuring Proxy ARP For Manual NAT

Support, Support Requests, Training, Documentation, and Knowledge ... https://supportcenter.checkpoint.com/supportcenter/portal/media-type/...
Solution ID: sk30197
Configuring Proxy ARP for Manual NAT
Product: ClusterXL, Security Gateway, VSX

Version: All
Last Modified: 16-dic-2014
Symptoms
After creating a Manual Static NAT rule, Security Gateway does not answer the ARP Requests for the Static NATed IP address that was configured in the Manual NAT rule.
Security Gateway replies to ARP requests with a wrong MAC address, mostly for the NAT traffic.
Solution
Click Here to Show Entire Article
Table of Contents:
1. Introduction
2. Configuration principles
3. Procedures
Select the procedure relevant to your environment
OS Version Gateway mode VSX mode
R77.10 Instructions
Instructions only for VS0
and above
R77 Instructions Instructions

for any VS
R76 Instructions other than VS0
Gaia
Instructions
R75.40VS Instructions
for any VS
R75.47
R75.46
Instructions N/A
R75.45
R75.40
NGX R65
Instructions N/A
and above
SecurePlatform VSX NGX R65

VSX NGX R67
N/A Instructions
VSX NGX R67.10
VSX NGX R68
4. General Notes
5. Related Documentation
6. Related Solutions
7. Related Debug
(1) Introduction
Show / Hide introduction
Let us consider the following scenario:
1. Two networks (Network_A and Network_B) are separated by a Security Gateway (single Security Gateway or ClusterXL).
2. On each network, there is a host (Host_A on Network_A, Host_B on Network_B).
3. Let us assume, that Network_A represents the Internal network, and Network_B represents the External network.
4. According to the existing standards, when Host_B needs to send data to Host_A, an ARP Request for the MAC address of Host_A will be sent by Host_B to Network_B.
Since Host_A is located on another network, and the Security Gateway acts as a router, this ARP Request (sent to Broadcast address on Layer2) will not be forwarded by the Security Gateway from Network_B to Network_A.
As a result, Host_B will not discover the MAC address of Host_A, and will not be able to send the data to Host_A.
A standard solution, in such cases, is to configure the Security Gateway to act as Proxy ARP.
The Security Gateway will pretend to be the Host in question. The Security Gateway will accept the ARP Requests and the Security Gateway will send its own MAC Address in ARP Reply. Then, when the data is received from the External network, the Se
on the Internal network.
Refer to:
http://en.wikipedia.org/wiki/Proxy_ARP
The TCP/IP Guide
http://www.ietf.org/rfc/rfc1027.txt
(2) Configuration principles

Configuration for Proxy ARP is two-fold:
1. Configuring Layer2-to-Layer3 matching on Security Gateway / each cluster member - matching IP addresses of the relevant hosts on the Internal network (where the hosts are located) to the MAC Address of the Security Gateway on the
published).
On Check Point Security Gateway / Cluster member, this matching is saved in the $FWDIR/conf/local.arp file.
2. Creating relevant Manual NAT rules in SmartDashboard and installing the policy.
(3) Procedures
Procedure for Gaia OS in Gateway mode - R76 / R77 / R77.10 and above
Important Notes:
Changes to Proxy ARP list made in Clish / Gaia Portal will take effect only after policy installation.
Since Gaia R77.10, it is possible to configure Proxy ARP entries in Gaia Portal:
Go to 'Network Management' pane - go to 'ARP' - in the 'Proxy ARP' section, click on 'Add' button.
Show / Hide screenshots
1 di 10 03/02/2015 15:41
Since Gaia R76, user has to configure Proxy ARP entries in Clish using the add 'arp proxy ipv4-address ...' command (the $FWDIR/conf/local.arp file will be created by Gaia OS):
either use these commands (via 'interface'):
HostName> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED interface NAME_OF_ADVERTISING_INTERFACE_ON_EXTERNAL_NETWORK real-ipv4-address REAL_IP_ADDRESS_OF_ADVERTISING_INTERFACE_ON
HostName> save config
or use these commands (via 'macaddress'):
HostName> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress MAC_ADDRESS_OF_ADVERTISING_INTERFACE_ON_EXTERNAL_NETWORK real-ipv4-address REAL_IP_ADDRESS_OF_ADVERTISING_INTE
Clarification:
Both forms are accepted.
The first form 'add arp proxy ipv4-address ... interface ...' is easier and is recommended:
Using the names of the interfaces is more intuitive
Clish will display the available interfaces when pressing Tab key after 'interface'
MAC address of the selected interface will be used automatically
To configure multiple Proxy ARP entries at once, user can create a plain-text file with the relevant 'add arp proxy ipv4-address ...' commands, and then run the 'clish -s -f /path_to/file_with_proxy_arp_syntax.txt
Any change in Proxy ARP made in Clish / Gaia Portal, will override any manual changes in the $FWDIR/conf/local.arp file.
Proxy ARP configuration made in Clish / Gaia Portal (and saved in Gaia Database), during boot will override any manual changes in the $FWDIR/conf/local.arp file.
To remove a Proxy ARP entry:
Either run the following Clish commands:
HostName> delete arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED

Or remove the entry in Gaia Portal:
Go to 'Network Management' pane - go to 'ARP' - in the 'Proxy ARP' section, select the relevant entry - click on 'Remove' button.
To display the configured ARP Proxy entries:
In Clish, run these commands:
either
HostName> show arp proxy all
or
HostName> show arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED
In Expert mode, run this command:
[Expert@HostName]# grep arpproxy /config/db/initial
Procedure:
1. Connect to command line on Security Gateway / each cluster member (over SSH, or console).
2. Log in to Clish.
3. Add the relevant Proxy ARP entries:
Each entry contains:
IP address of the relevant host that should be published to the outside world
Name of the relevant Security Gateway's advertising interface on the External network;
or MAC address of the relevant Security Gateway's advertising interface on the External network
Real IP address of advertising interface
Exact syntax depends on the configuration:
Single Gateway
HostName> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress MAC_ADDRESS_OF_GATEWAY_ON_EXTERNAL_NETWORK real-ipv4-address REAL_IP_ADDRESS_OF_ADVERTISING_INTERFACE
Example - 10.10.10.X are IP addresses of hosts on Internal Network, that should be published to outside world as 20.30.40.X from the Security Gateway's interface 20.30.40.1:
HostName> add arp proxy ipv4-address 20.30.40.3 macaddress 00:B4:F3:A8:C1:33 real-ipv4-address 20.30.40.1
ClusterXL in High Availability mode, or ClusterXL in Load Sharing Unicast mode, and IP addresses of physical interfaces and Virtual IP address are on the same subnet
HostName> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress MAC_ADDRESS_OF_MEMBER'S_PHYSICAL_INTERFACE_ON_EXTERNAL_NETWORK real-ipv4-address REAL_IP_ADDRESS_OF_MEMBE
Example - 10.10.10.X are IP addresses of hosts on Internal Network, that should be published to outside world as 20.30.40.X from the members' interfaces 20.30.40.11 and 20.30.40.12:
On Member_A
HostName> add arp proxy ipv4-address 20.30.40.3 macaddress 00:A0:C9:E8:C7:75 real-ipv4-address 20.30.40.11
On Member_B
HostName> add arp proxy ipv4-address 20.30.40.3 macaddress 00:A0:C9:E8:C7:7F real-ipv4-address 20.30.40.12
Notes:
During fail-over, by design, a Gratuitous ARP Request packet is sent to the network by the new Active/Pivot member, so that switches and hosts on the network will know that on each cluster interface the MAC address associate
After configuring the Proxy ARP entries, on ClusterXL in High Availability mode, or on ClusterXL in Load Sharing Unicast mode, Gratuitous ARP Request packets will also be sent for the configured IP addresses of the Hosts.
Gratuitous ARP packets are not sent correctly on VLAN interfaces during fail-over in a cluster. This is the current design. Refer to sk43945.
ClusterXL in High Availability mode, or ClusterXL in Load Sharing Unicast mode, IP addresses of physical interfaces and Virtual IP address are on the same subnet, and Virtual MAC (VMAC) mode is enabled (per sk50840)
HostName> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress VMAC_ADDRESS real-ipv4-address REAL_IP_ADDRESS_OF_MEMBER'S_PHYSICAL_INTERFACE_ON_EXTERNAL_NETWORK
Example (from R76) - 10.10.10.X are IP addresses of hosts on Internal Network, that should be published to outside world as 20.30.40.X from the members' interfaces 192.168.0.11 and 192.168.0.12:
On Member_A
HostName> add arp proxy ipv4-address 20.30.40.3 macaddress 00:1C:7F:00:00:FE real-ipv4-address 192.168.0.11
2 di 10 03/02/2015 15:41
On Member_B
Notes:
ClusterXL in High Availability mode, or ClusterXL in Load Sharing Unicast mode, and IP addresses of physical interfaces and Virtual IP address are on different subnets
HostName> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress MAC_ADDRESS_OF_MEMBER'S_PHYSICAL_INTERFACE_ON_EXTERNAL_NETWORK real-ipv4-address REAL_IP_ADDRESS_OF_MEMBE
On Member_A
On Member_B
Notes:
ClusterXL in Load Sharing Multicast mode, and IP addresses of physical interfaces and Virtual IP address are on the same subnet
HostName> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress MULTICAST_MAC_ADDRESS_OF_CLUSTER_VIP_ON_EXTERNAL_NETWORK real-ipv4-address REAL_IP_ADDRESS_OF_MEMBER'S_PH
Note:
To get the Multicast MAC address of Cluster VIP on the External network:
In SmartDashboard, double-click on the cluster object - in Properties window, go to Topology - click on Edit Topology... - find the Virtual interface - double-click on the interface (or right-click and choose Edit Interface
On Member_A
HostName> add arp proxy ipv4-address 20.30.40.3 macaddress 01:00:5e:10:06:64 real-ipv4-address 20.30.40.11
On Member_B
Notes:
After configuring the Proxy ARP entries, on ClusterXL in Load Sharing Multicast mode, Gratuitous ARP Request packets will also be sent for the configured IP addresses of the Hosts.
ClusterXL in Load Sharing Multicast mode, and IP addresses of physical interfaces and Virtual IP address are on different subnets
HostName> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress MULTICAST_MAC_ADDRESS_OF_CLUSTER_VIP_ON_EXTERNAL_NETWORK real-ipv4-address REAL_IP_ADDRESS_OF_MEMBER'S_PH
Note:
On Member_A
On Member_B
Notes:
After configuring the Proxy ARP entries, on ClusterXL in Load Sharing Multicast mode, Gratuitous ARP Request packets will also be sent for the configured IP addresses of the Hosts.
Cluster in VRRP mode
HostName> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress VRRP_MAC_ADDRESS real-ipv4-address REAL_IP_ADDRESS_OF_MEMBER'S_PHYSICAL_INTERFACE_ON_EXTERNAL_NETWORK
On Member_A
On Member_B
Notes:
After configuring the Proxy ARP entries on Cluster in VRRP mode running on Gaia OS, by design, Gratuitous ARP Request packets for the configured Hosts will be sent only with Source IP address of the VR
Refer to sk92426 (Automatic NAT IP addresses are assigned with a physical MAC addresses of the cluster members instead of VMAC addresses in Gaia VRRP cluster with enabled VMAC).
4. Connect with SmartDashboard to Security Management Server / Domain Management Server.
5. In SmartDashboard, create a Host object that will represent the relevant host on the Internal network (Internal IP address).
6. In SmartDashboard, go to 'Policy' menu - click on 'Global Properties' - go to 'NAT' - go to 'Automatic NAT rules' section.
If the box "Automatic ARP configuration" is checked, then also check the box "Merge manual proxy ARP configuration".
or
Disable the "Automatic ARP configuration" completely (clear the box).
Notes:
Automatic ARP Configuration is enabled by default - it ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Security Gateway.
Merge manual proxy ARP configuration merges the Automatic and Manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in t
configuration' is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NATed IP address appears in both), then the manual configuration is used.
If 'Automatic ARP configuration' setting is enabled, but 'Merge manual proxy ARP configuration' setting is not enabled, then the Security Gateway ignores the Proxy ARP entries in the $FWDIR/conf/local.arp
7. In SmartDashboard, go to 'Policy' menu - click on 'Global Properties' - go to 'NAT' - go to 'Manual NAT rules' section.
Check the box "Translate destination on client side".
Notes:
Translate destination on client side is enabled by default - it applies to packets originating at a Client, with the Server as its destination. Static NAT for the server is performed on the Client side of the Security Gateway.
8. Create the following Manual NAT rules:
Original Packet Translated Packet

No.
Source Destination Service Source Destination Service
object that represents 'Static' translation -

the relevant host object that represents
1 Any Any = Original = Original
on the Internal network the External (NATed)
(with its Internal IP address) IP address of the relevant host
object that represents

the relevant host
2 Any the External (NATed) Any = Original = Original
on the Internal network
IP address of the relevant host
(with its Internal IP address)
9. Install the Security Policy.
10. Check the Proxy ARP table on Security Gateway / each cluster member using the following commands in Expert mode:
[Expert@HostName]# fw ctl arp

[Expert@HostName]# fw ctl arp -n
[Expert@HostName]# arp -a
[Expert@HostName]# arp -e
3 di 10 03/02/2015 15:41
Procedure for Gaia OS in Gateway mode - R75.40 / R75.40VS / R75.45 / R75.46 / R75.47
2. Log in to Expert mode.
3. On the Security Gateway / each cluster member, create a special file - $FWDIR/conf/local.arp:
[Expert@HostName]# touch $FWDIR/conf/local.arp
[Expert@HostName]# vi $FWDIR/conf/local.arp
MAC address of the Security Gateway on the External network
Optional: Real IP address of advertising interface (pertinent when dealing with VLANs)
Format of $FWDIR/conf/local.arp file depends on the configuration:
Single Gateway
IP_address_of_Host_1_that_should_be_published MAC_address_of_Gateway's_physical_interface_on_External_network
Example - 10.10.10.X are IP addresses of hosts on Internal Network, that should be published to outside world as 20.30.40.X from the Security Gateway's interface 20.30.40.1 (last argument is optional):
20.30.40.3 00:B4:F3:A8:C1:33
20.30.40.4 00:B4:F3:A8:C1:33
20.30.40.5 00:B4:F3:A8:C1:33
IP_address_of_Host_1_that_should_be_published MAC_address_of_member's_physical_interface_on_External_network
On Member_A
20.30.40.3 00:A0:C9:E8:C7:75
20.30.40.4 00:A0:C9:E8:C7:75
20.30.40.5 00:A0:C9:E8:C7:75
On Member_B
20.30.40.3 00:A0:C9:E8:C7:7F
20.30.40.4 00:A0:C9:E8:C7:7F
20.30.40.5 00:A0:C9:E8:C7:7F
Notes:
After configuring the $FWDIR/conf/local.arp file on ClusterXL in High Availability mode, or on ClusterXL in Load Sharing Unicast mode, Gratuitous ARP Request packets will also be sent for the configured IP address
IP_address_of_Host_1_that_should_be_published VMAC_address IP_address_of_member's_physical_interface_on_External_network

On Member_A
20.30.40.3 00:1C:7F:00:00:FE 192.168.0.1

20.30.40.4 00:1C:7F:00:00:FE 192.168.0.1
20.30.40.5 00:1C:7F:00:00:FE 192.168.0.1
On Member_B
20.30.40.3 00:1C:7F:00:00:FE 192.168.0.2

20.30.40.4 00:1C:7F:00:00:FE 192.168.0.2
20.30.40.5 00:1C:7F:00:00:FE 192.168.0.2
Notes:
IP_address_of_Host_1_that_should_be_published MAC_address_of_member's_physical_interface_on_External_network IP_address_of_member's_physical_interface_on_External_network

On Member_A
20.30.40.3 00:A0:C9:E8:C7:75 192.168.0.1

20.30.40.4 00:A0:C9:E8:C7:75 192.168.0.1
20.30.40.5 00:A0:C9:E8:C7:75 192.168.0.1
On Member_B
20.30.40.3 00:A0:C9:E8:C7:7F 192.168.0.2

20.30.40.4 00:A0:C9:E8:C7:7F 192.168.0.2
20.30.40.5 00:A0:C9:E8:C7:7F 192.168.0.2
Notes:
IP_address_of_Host_1_that_should_be_published Multicast_MAC_address_of_Cluster_VIP_on_External_network
Note:
On Member_A
20.30.40.3 01:00:5e:10:06:64
20.30.40.4 01:00:5e:10:06:64
20.30.40.5 01:00:5e:10:06:64
On Member_B
20.30.40.3 01:00:5e:10:06:64
20.30.40.4 01:00:5e:10:06:64
20.30.40.5 01:00:5e:10:06:64
Notes:
After configuring the $FWDIR/conf/local.arp file on ClusterXL in Load Sharing Multicast mode, Gratuitous ARP Request packets will be sent for the IP addresses of the Hosts specified in $FWDIR/conf/local.arp
IP_address_of_Host_1_that_should_be_published Multicast_MAC_address_of_Cluster_VIP_on_External_network IP_address_of_member's_physical_interface_on_External_network

Note:
On Member_A
20.30.40.3 01:00:5e:10:06:64 192.168.0.1

20.30.40.4 01:00:5e:10:06:64 192.168.0.1
20.30.40.5 01:00:5e:10:06:64 192.168.0.1
On Member_B
20.30.40.3 01:00:5e:10:06:64 192.168.0.2

20.30.40.4 01:00:5e:10:06:64 192.168.0.2
20.30.40.5 01:00:5e:10:06:64 192.168.0.2
Notes:
Cluster in VRRP mode
IP_address_of_Host_1_that_should_be_published VRRP_MAC_Address IP_address_of_member's_physical_interface_on_External_network

On Member_A
20.30.40.3 00:00:5e:00:01:02 192.168.0.1

20.30.40.4 00:00:5e:00:01:02 192.168.0.1
20.30.40.5 00:00:5e:00:01:02 192.168.0.1
On Member_B
20.30.40.3 00:00:5e:00:01:02 192.168.0.2

20.30.40.4 00:00:5e:00:01:02 192.168.0.2
4 di 10 03/02/2015 15:41
20.30.40.5 00:00:5e:00:01:02 192.168.0.2
Notes:
After configuring the $FWDIR/conf/local.arp file on Cluster in VRRP mode running on Gaia OS, by design, Gratuitous ARP Request packets for the configured Hosts will be sent only with Source IP address o
Refer to sk92426 (Automatic NAT IP addresses are assigned with a physical MAC addresses of the cluster members instead of VMAC addresses in Gaia VRRP cluster with enabled VMAC).
or
Notes:
Notes:

No.


the relevant host

Procedure for Gaia OS in VSX mode - R76 / R77 / R77.10 and above - context of VS0 (VSX itself)
The procedure described in this section is supported only for the context of Virtual System 0 (VSX Gateway itself). To configure Proxy ARP on any Virtual System other than VS0, follow the instructions in section "
above - context of any Virtual System, other than VS0".
Important Notes:
Changes to Proxy ARP list made in Clish will take effect only after policy installation.
Since Gaia R77.10, it is also possible to configure Proxy ARP entries in Gaia Portal.
However, Gaia Portal is not supported on Security Gateway in VSX mode.
User must use Clish to configure Proxy ARP in VSX mode.
Since Gaia R76, user has to configure Proxy ARP entries only in Clish using the add 'arp proxy ipv4-address ...' command in the context of the Virtual System 0 (the $FWDIR/conf/local.arp file will be created by Gaia OS in the context
HostName:0> set virtual-system 0

HostName:0> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED interface NAME_OF_ADVERTISING_INTERFACE_ON_VIRTUAL_SYSTEM_0 real-ipv4-address REAL_IP_ADDRESS_OF_ADVERTISING_INTERFACE_
HostName:0> save config

HostName:0> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress MAC_ADDRESS_OF_ADVERTISING_INTERFACE_ON_VIRTUAL_SYSTEM_0 real-ipv4-address REAL_IP_ADDRESS_OF_ADVERTISING_IN
Clarification:
Both forms are accepted.
The first form 'add arp proxy ipv4-address ... interface ...' is easier and is recommended:
Using the names of the interfaces is more intuitive
Clish will display the available interfaces in the context of this Virtual System when pressing Tab key after 'interface'
Clish will not allow to use an interface that does not belong to this Virtual System (names of such interfaces will be displayed with asterisk '*')
MAC address of the selected Virtual System's interface will be used automatically
To configure multiple Proxy ARP entries at once, user can create a plain-text file with the relevant 'add arp proxy ipv4-address ...' commands, and then run the 'clish -s -f /path_to/file_with_proxy_arp_syntax.txt
Any change in Proxy ARP made in Clish, will override any manual changes in the $FWDIR/conf/local.arp file.
Proxy ARP configuration made in Clish (and saved in Gaia Database), during boot will override any manual changes in the $FWDIR/conf/local.arp file.
To remove a Proxy ARP entry, run the following Clish commands:
HostName:ANY_VSID> delete arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED

HostName:ANY_VSID> save config
To display the configured ARP Proxy entries:
In Clish, run these commands:
either
HostName:ANY_VSID> show arp proxy all
or
HostName:ANY_VSID> show arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED
In Expert mode, run this command:
[Expert@HostName:ANY_VSID]# grep arpproxy /config/db/initial
Procedure:
1. Connect to command line on VSX Security Gateway / each VSX cluster member (over SSH, or console).
2. Log in to Clish.
3. Switch to the context of the Virtual System 0:
HostName:ANY_VSID> set virtual-system 0
Name of the relevant advertising interface on Virtual System;
or MAC address of the relevant advertising interface on Virtual System
Real IP address of advertising interface on Virtual System
Exact syntax depends on the configuration:
Single VSX Gateway
HostName:0> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED interface NAME_OF_ADVERTISING_INTERFACE_INTERFACE_ON_VSX_GATEWAY real-ipv4-address REAL_IP_ADDRESS_OF_ADVERTISING_
Example - 10.10.10.X are IP addresses of hosts on Internal Network, that should be published to outside world as 20.30.40.X from the Virtual System's interface wrp128 with IP 20.30.40.1:
HostName:0> add arp proxy ipv4-address 20.30.40.3 interface wrp128 real-ipv4-address 20.30.40.1
VSX Cluster in High Availability or VSLS mode
HostName:0> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED interface NAME_OF_ADVERTISING_INTERFACE_INTERFACE_ON_VIRTUAL_SYSTEM_0 real-ipv4-address REAL_IP_ADDRESS_OF_ADVERTI
Example - 10.10.10.X are IP addresses of hosts on Internal Network, that should be published to outside world as 20.30.40.X from the Virtual System's interface wrp128 with IP 20.30.40.1:
On VSX Member_A
On VSX Member_B
Notes:
During fail-over, by design, a Gratuitous ARP Request packet is sent to the network by the new Active member, so that switches and hosts on the network will know that on each cluster interface the MAC address associated with
After configuring the Proxy ARP entries, on VSX Cluster in High Availability mode, or in VSLS mode, Gratuitous ARP Request packets will also be sent for the configured IP addresses of the Hosts.
5 di 10 03/02/2015 15:41
or
Notes:
Notes:

No.


the relevant host
11. Check the Proxy ARP table on VSX Gateway / each VSX cluster member using the following commands in Expert mode:
[Expert@HostName:0]# fw ctl arp

[Expert@HostName:0]# fw ctl arp -n
[Expert@HostName:0]# arp -a
[Expert@HostName:0]# arp -e
Procedure for Gaia OS in VSX mode - R76 / R77 / R77.10 and above - context of any Virtual System, other than VS0 (VSX itself)
Instructions for the context of Virtual System 0 (VSX itself) appear in the section "Procedure for Gaia OS in VSX mode - R76 / R77 / R77.10 and above - context of VS0 (VSX itself)".
1. Connect to command line on VSX Gateway / each VSX cluster member (over SSH, or console).
3. Switch to the context of the relevant Virtual System:
[Expert@HostName:ANY_VSID]# vsx stat -v

[Expert@HostName:ANY_VSID]# vsenv <VSID>
4. Create a special file - $FWDIR/conf/local.arp in the context of this Virtual System:
[Expert@HostName:<VSID>]# touch $FWDIR/conf/local.arp
[Expert@HostName:<VSID>]# vi $FWDIR/conf/local.arp
MAC address of the Virtual System leading to the External network
Optional: Real IP address of advertising interface of the Virtual System (pertinent when dealing with VLANs)
Single VSX Gateway
IP_address_of_Host_1_that_should_be_published MAC_address_of_Virtual_System's_interface_leading_to_External_network
Example - 10.10.10.X are IP addresses of hosts on Internal Network, that should be published to outside world as 20.30.40.X from the Virtual System's interface wrp128:
20.30.40.3 00:B4:F3:A8:C1:33
20.30.40.4 00:B4:F3:A8:C1:33
20.30.40.5 00:B4:F3:A8:C1:33
On VSX Member_A
20.30.40.3 00:A0:C9:E8:C7:75
20.30.40.4 00:A0:C9:E8:C7:75
20.30.40.5 00:A0:C9:E8:C7:75
On VSX Member_B
20.30.40.3 00:A0:C9:E8:C7:7F
20.30.40.4 00:A0:C9:E8:C7:7F
20.30.40.5 00:A0:C9:E8:C7:7F
Notes:
or
Notes:
Notes:

No.


the relevant host

Procedure for Gaia OS in VSX mode - R75.40VS - context of any Virtual System
6 di 10 03/02/2015 15:41
The procedure described in this section applies to all Virtual Systems - context of Virtual System 0 (VSX Gateway itself) and context of any other Virtual System.
3. Switch to the context of the relevant Virtual System:
[Expert@HostName:ANY_VSID]# vsx stat -v

[Expert@HostName:ANY_VSID]# vsenv <VSID>
4. Create a special file - $FWDIR/conf/local.arp in the context of this Virtual System:
[Expert@HostName:<VSID>]# touch $FWDIR/conf/local.arp
[Expert@HostName:<VSID>]# vi $FWDIR/conf/local.arp
Single VSX Gateway
20.30.40.3 00:B4:F3:A8:C1:33
20.30.40.4 00:B4:F3:A8:C1:33
20.30.40.5 00:B4:F3:A8:C1:33
On VSX Member_A
20.30.40.3 00:A0:C9:E8:C7:75
20.30.40.4 00:A0:C9:E8:C7:75
20.30.40.5 00:A0:C9:E8:C7:75
On VSX Member_B
20.30.40.3 00:A0:C9:E8:C7:7F
20.30.40.4 00:A0:C9:E8:C7:7F
20.30.40.5 00:A0:C9:E8:C7:7F
Notes:
or
Notes:
Notes:

No.


the relevant host

Procedure for SecurePlatform OS - NGX R65 and above (non-VSX)
3. On the Security Gateway / each cluster member, create a special file - $FWDIR/conf/local.arp:
[Expert@HostName]# touch $FWDIR/conf/local.arp
[Expert@HostName]# vi $FWDIR/conf/local.arp
MAC address of the Security Gateway on the External network
Optional: Real IP address of advertising interface (pertinent when dealing with VLANs)
Single Gateway
Example - 10.10.10.X are IP addresses of hosts on Internal Network, that should be published to outside world as 20.30.40.X from the Security Gateway's interface 20.30.40.1 (last argument is optional):
20.30.40.3 00:B4:F3:A8:C1:33
20.30.40.4 00:B4:F3:A8:C1:33
20.30.40.5 00:B4:F3:A8:C1:33
On Member_A
20.30.40.3 00:A0:C9:E8:C7:75
20.30.40.4 00:A0:C9:E8:C7:75
20.30.40.5 00:A0:C9:E8:C7:75
On Member_B
20.30.40.3 00:A0:C9:E8:C7:7F
20.30.40.4 00:A0:C9:E8:C7:7F
20.30.40.5 00:A0:C9:E8:C7:7F
Notes:
After configuring the $FWDIR/conf/local.arp file on ClusterXL in High Availability mode, or on ClusterXL in Load Sharing Unicast mode, Gratuitous ARP Request packets will also be sent for the IP addresses of the H
7 di 10 03/02/2015 15:41

On Member_A
20.30.40.3 00:1C:7F:00:00:FE 192.168.0.1

20.30.40.4 00:1C:7F:00:00:FE 192.168.0.1
20.30.40.5 00:1C:7F:00:00:FE 192.168.0.1
On Member_B
20.30.40.3 00:1C:7F:00:00:FE 192.168.0.2

20.30.40.4 00:1C:7F:00:00:FE 192.168.0.2
20.30.40.5 00:1C:7F:00:00:FE 192.168.0.2
Notes:

On Member_A
20.30.40.3 00:A0:C9:E8:C7:75 192.168.0.1

20.30.40.4 00:A0:C9:E8:C7:75 192.168.0.1
20.30.40.5 00:A0:C9:E8:C7:75 192.168.0.1
On Member_B
20.30.40.3 00:A0:C9:E8:C7:7F 192.168.0.2

20.30.40.4 00:A0:C9:E8:C7:7F 192.168.0.2
20.30.40.5 00:A0:C9:E8:C7:7F 192.168.0.2
Notes:
Note:
On Member_A
20.30.40.3 01:00:5e:10:06:64
20.30.40.4 01:00:5e:10:06:64
20.30.40.5 01:00:5e:10:06:64
On Member_B
20.30.40.3 01:00:5e:10:06:64
20.30.40.4 01:00:5e:10:06:64
20.30.40.5 01:00:5e:10:06:64
Notes:

Note:
On Member_A
20.30.40.3 01:00:5e:10:06:64 192.168.0.1

20.30.40.4 01:00:5e:10:06:64 192.168.0.1
20.30.40.5 01:00:5e:10:06:64 192.168.0.1
On Member_B
20.30.40.3 01:00:5e:10:06:64 192.168.0.2

20.30.40.4 01:00:5e:10:06:64 192.168.0.2
20.30.40.5 01:00:5e:10:06:64 192.168.0.2
Notes:
or
Notes:
Notes:

No.


the relevant host

Procedure for SecurePlatform OS - VSX R65 / VSX R67 / VSX R67.10 / VSX R68
3. On the VSX Gateway / each VSX cluster member, create a special file - $FWDIR/CTX/CTX0000<VSID>/conf/local.arp:
[Expert@HostName:0]# vsx stat -v

[Expert@HostName:0]# touch $FWDIR/CTX/CTX0000<VSID>/conf/local.arp
[Expert@HostName:0]# vi $FWDIR/CTX/CTX0000<VSID>/conf/local.arp
Single VSX Gateway
8 di 10 03/02/2015 15:41
20.30.40.3 00:B4:F3:A8:C1:33
20.30.40.4 00:B4:F3:A8:C1:33
20.30.40.5 00:B4:F3:A8:C1:33
On VSX Member_A
20.30.40.3 00:A0:C9:E8:C7:75
20.30.40.4 00:A0:C9:E8:C7:75
20.30.40.5 00:A0:C9:E8:C7:75
On VSX Member_B
20.30.40.3 00:A0:C9:E8:C7:7F
20.30.40.4 00:A0:C9:E8:C7:7F
20.30.40.5 00:A0:C9:E8:C7:7F
Notes:
or
Notes:
Notes:

No.


the relevant host

(4) General Notes

Show / Hide general notes
By design, in ClusterXL in High Availability mode or ClusterXL Load Sharing Unicast/Multicast mode - Gratuitous ARP Request packets for the specified Hosts (in Gaia Portal / in Gaia Clish / in $FWDIR/conf/local.arp file), will be sent with the Source IP
By design, in 3rd party clusters (e.g., VRRP, OPSEC), Gratuitous ARP Request packets for the specified Hosts (in Gaia Portal / in Gaia Clish / in $FWDIR/conf/local.arp file), will be sent only with Source IP address of the Cluster VIP address.
To display the ARP Proxy table entries on the Security Gateway, use these commands in Expert mode:

The configuration procedure in this article is also valid for VSX Gateway and VSX Cluster (both HA and VSLS).
On VSX NGX R65 / R67 / R67.10 / R68
Configure the $FWDIR/CTX/CTX0000<VSID>/conf/local.arp file, where VSID is the ID number of that Virtual System (refer to the output of 'vsx stat -v' command or 'vsx stat -l' command):

[Expert@HostName:0]# vi $FWDIR/CTX/CTX0000<VSID>/conf/local.arp
On VSX R75.40VS
Configure the $FWDIR/conf/local.arp file in the context of relevant Virtual System (refer to the output of 'vsx stat -v' command or 'vsx stat -l' command):

[Expert@HostName:0]# vsenv <VSID>
[Expert@HostName:VSID]# vi $FWDIR/conf/local.arp
On VSX R76 / R77 / R77.10 and above
Context of VS0 (VSX Gateway itself)
Configure Proxy ARP entries only in Clish using the add 'arp proxy ipv4-address ...' command in the context of the Virtual System 0:

HostName:0> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED interface NAME_OF_ADVERTISING_INTERFACE_ON_VIRTUAL_SYSTEM_0 real-ipv4-address REAL_IP_ADDRESS_OF_ADVERTISING_INTERFACE_

HostName:0> add arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED macaddress MAC_ADDRESS_OF_ADVERTISING_INTERFACE_ON_VIRTUAL_SYSTEM_0 real-ipv4-address REAL_IP_ADDRESS_OF_ADVERTISING_IN
Context of any VS, other than VS0
Configure the $FWDIR/conf/local.arp file in the context of relevant Virtual System (refer to the output of 'vsx stat -v' command or 'vsx stat -l' command):

[Expert@HostName:0]# vsenv <VSID>
[Expert@HostName:VSID]# vi $FWDIR/conf/local.arp
It may be required to add an additional entry in the 'local.arp' file next to the MAC Address that defines the Source IP address of the ARP Reply packets that will be sent by Security GAteway (typically, the IP address belonging to t
(5) Related Documentation

Show / Hide related documentation
ClusterXL Administration Guide (R65, R70, R71, R75, R75.40, R75.40VS, R76, R77) - chapter 'ClusterXL Advanced Configuration' - Limitations of Cluster Addresses on Different Subnets - look for 'Manual Proxy ARP'
VSX Administration Guide (VSX NGX R65, VSX NGX R67, VSX NGX R68, R75.40VS, R76, R77)
(6) Related Solutions

Show / Hide related solutions
sk103214 (FWD process on Security Gateway might crash when working with Proxy ARP)
sk93534 (Proxy ARP in Gaia VRRP cluster does not function properly)
sk98853 (Proxy ARP configuration in $FWDIR/conf/local.arp file does not work in R77.10 Gaia OS)
sk18463 ('fwarp_get_arp_interface: no interface found on same subnet as valid ip address: X.X.X.X' error in $FWDIR/log/fwd.elg on ClusterXL members)
sk92364 (Host on network shows an error about duplication of its IP address when ClusterXL with VMAC is used)
9 di 10 03/02/2015 15:41
sk99150 (Manual Proxy ARP configuration for Check Point VSX R65 / VSX R67 / VSX R68 on Crossbeam XOS)
sk34113 (Configuring Manual NAT for Security Gateway on Solaris OS)
sk36045 (ClusterXL instability during failover when using local.arp definitions)
sk43945 (Gratuitous ARP Requests are not sent upon cluster fail-over on VLAN interfaces defined in $FWDIR/conf/local.arp)
sk85460 (Explanation about Client side NAT and Server side NAT)
sk91905 (Configuring Proxy NDP for IPv6 Manual NAT)
sk92426 (Automatic NAT IP addresses are assigned with a physical MAC addresses of the cluster members instead of VMAC addresses in Gaia VRRP cluster with enabled VMAC)
sk95769 (Configuring Proxy ARP for Manual NAT on Locally Managed 600 / 1100 appliances)
(7) Related Debug

Show / Hide hotfix debug instructions
In order to debug the Proxy ARP, use the following procedure:
1. Start traffic capture on the external interface

(whose MAC address was written inside the $FWDIR/conf/local.arp file):
[Expert@HostName]# tcpdump -p -n -i INTERFACE_NAME -w /var/tcpdump.cap [relevant filter]
2. Prepare debug options:
[Expert@HostName]# fw ctl debug 0

[Expert@HostName]# fw ctl debug -buf 32000
[Expert@HostName]# fw ctl debug -m fw + drop conn nat xlate xltrc packet vm highavail
[Expert@HostName]# fw ctl debug -m cluster + drop select mac if
3. Verify debug options:
[Expert@HostName]# fw ctl debug -m fw

[Expert@HostName]# fw ctl debug -m cluster
Notes about the output of these commands:
Pay close attention to the size of the kernel debugging buffer (must be 32000K).
Pay close attention to the name of the kernel debugging module (must be the same name as used in the command).
The order of the flags in this output does not matter - just all the flags you set have to be here.
4. Start kernel debug:
[Expert@HostName]# fw ctl kdebug -T -f > /var/log/debug.txt
5. Replicate the issue.
6. Stop kernel debug:
press CTRL+C
[Expert@HostName]# fw ctl debug 0
7. Stop traffic capture:
Press CTRL+C
8. Send the kernel debug output file to Check Point Support:
/var/log/debug.txt
Output example:
;fw_xlate_arp: before:
; ff-ff-ff-ff-ff-ff <- 00-90-fb-33-2f-6e : 0x0806 ;
; 0x0001 0x0800 6 4 0x0001
00-90-fb-33-2f-6e : 172.25.195.254 -> 00-00-00-00-00-00 : 172.25.195.15 ;
;;
;fw_xlate_arp: after:
; 00-90-fb-33-2f-6e <- 00-50-56-a3-61-73 : 0x0806 ;
; 0x0001 0x0800 6 4 0x0002
00-50-56-a3-61-73 : 172.25.195.15 -> 00-90-fb-33-2f-6e : 172.25.195.254 ;
;;
Applies To:
This solution replaces sk101450.

This solution replaces sk101268.
10 di 10 03/02/2015 15:41

Configuring Proxy ARP For Manual NAT

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Configuring Proxy ARP For Manual NAT

Încărcat de

Drepturi de autor:

Formate disponibile

Support, Support Requests, Training, Documentation, and Knowledge ... https://supportcenter.checkpoint.com/supportcenter/portal/media-type/...

Solution ID: sk30197

Configuring Proxy ARP for Manual NAT

Product: ClusterXL, Security Gateway, VSX

Click Here to Show Entire Article

OS Version Gateway mode VSX mode

R77 Instructions Instructions

SecurePlatform VSX NGX R65

Let us consider the following scenario:

2. On each network, there is a host (Host_A on Network_A, Host_B on Network_B).

(2) Configuration principles

Show / Hide screenshots

either use these commands (via 'interface'):

or use these commands (via 'macaddress'):

To remove a Proxy ARP entry:

Either run the following Clish commands:

HostName> delete arp proxy ipv4-address IP_ADDRESS_OF_HOST_THAT_SHOULD_BE_PUBLISHED

Or remove the entry in Gaia Portal:

To display the configured ARP Proxy entries:

In Clish, run these commands:

In Expert mode, run this command:

[Expert@HostName]# grep arpproxy /config/db/initial

3. Add the relevant Proxy ARP entries:

Each entry contains:

Exact syntax depends on the configuration:

Cluster in VRRP mode

4. Connect with SmartDashboard to Security Management Server / Domain Management Server.

Check the box "Translate destination on client side".

8. Create the following Manual NAT rules:

Original Packet Translated Packet

object that represents 'Static' translation -

object that represents

9. Install the Security Policy.

[Expert@HostName]# fw ctl arp

2. Log in to Expert mode.

[Expert@HostName]# touch $FWDIR/conf/local.arp

4. Add the relevant Proxy ARP entries:

Each entry contains:

Format of $FWDIR/conf/local.arp file depends on the configuration:

IP_address_of_Host_1_that_should_be_published VMAC_address IP_address_of_member's_physical_interface_on_External_network

20.30.40.3 00:1C:7F:00:00:FE 192.168.0.1

20.30.40.3 00:1C:7F:00:00:FE 192.168.0.2

IP_address_of_Host_1_that_should_be_published MAC_address_of_member's_physical_interface_on_External_network IP_address_of_member's_physical_interface_on_External_network

20.30.40.3 00:A0:C9:E8:C7:75 192.168.0.1

20.30.40.3 00:A0:C9:E8:C7:7F 192.168.0.2

IP_address_of_Host_1_that_should_be_published Multicast_MAC_address_of_Cluster_VIP_on_External_network IP_address_of_member's_physical_interface_on_External_network

20.30.40.3 01:00:5e:10:06:64 192.168.0.1

20.30.40.3 01:00:5e:10:06:64 192.168.0.2

Cluster in VRRP mode

IP_address_of_Host_1_that_should_be_published VRRP_MAC_Address IP_address_of_member's_physical_interface_on_External_network

20.30.40.3 00:00:5e:00:01:02 192.168.0.1

20.30.40.3 00:00:5e:00:01:02 192.168.0.2

20.30.40.5 00:00:5e:00:01:02 192.168.0.2

5. Connect with SmartDashboard to Security Management Server / Domain Management Server.

Check the box "Translate destination on client side".

9. Create the following Manual NAT rules:

Original Packet Translated Packet

object that represents 'Static' translation -

object that represents

10. Install the Security Policy.

[Expert@HostName]# fw ctl arp

either use these commands (via 'interface'):

HostName:0> set virtual-system 0