Proxy ARP – SPLAT

This guide attempts to explain Proxy ARP upon the Check Point SPLAT platform.

1. What is Proxy ARP ?

There are 2 ways to get a packet to a device.

  1. Route the packet to the device.
  2. Add a proxy ARP entry so that the network host answers to the ARP queries for IP addresses not configured on the receiving interface.

2. Client Side vs Server Side NAT

When using Server Side NAT the destination IP address is NAT`d by the outbound Kernel. This means that the routing table is queried before the destination IP address is translated and in turn a route is required for the pre translated address (further detailed in Section 4).

You can check whether you are using Client Side or Server Side NAT by clarifying your settings within Global Properties | NAT | Translate on Client Side.

3. How to add a Proxy ARP on SPLAT

To add a proxy arp entry use the following syntax:

/sbin/arp –s [NAT IP] [MAC Address] pub

To ensure that the proxy ARP is republished post reboot create a file called $FWDIR/conf/local.arp. In this file add the following:

[NAT IP] [MAC Address]

4. Server Side NAT

If you are using Server Side NAT you will need to add an additional route (as explained in Section 2).

The syntax to add this route is detailed below:
Please Note : The “route –save” command will ensure that the routes are reloaded post reboot.

/sbin/route add –host [NAT IP] gw [Real IP / Next Hop IP]
route –save

5. Gotcha’s

Client Side NAT still requires a route

This is by far the biggest gotcha. After adding your proxy ARP entry and using a Client Side NAT setup you may find that your Check Point device is still not replying to the ARP requests for your pre-translated address. There are 2 ways to resolve this issue:

  1. Add a route for the pre-translated address for each of your Proxy ARP entries (as detailed within Section 4).
  2. In addition to the setting “Translate destination on Client Side” within Global Properties | NAT being enabled. Enable the setting “Allow bi-directional NAT” and then reboot your Check Point device. Note : When using SPLAT you MUST be reboot after enabling “Allow bi-directional NAT”.

Removing a Node from a Cluster

If you have detached a node from a cluster and have not disabled the nodes cluster membership in cpconfig, you may find that your Proxy ARP`s are shown in `fw ctl arp` but the firewall still doesn’t reply to the ARP requests. As mentioned, go into cpconfig and disable the cluster membership.

IPSO to SPLAT migrations

You may find you convert all the Proxy ARPs and the routes then migrate over the SPLAT device but your traffic still fails to work. This can be down to the way in which IPSO (BSD) publishes its Proxy ARP`s. Due to it publishing them within its routing table this can result in IPSO not requiring routes for the pre-translated addresses, then causing a problem when changing operating systems.
With this you can either create your routes (from grepping the routing table for MAC addresses and then converting them into routes (the sed tool is great for this)) or use my last gotcha to enable Client Side and bi-dir NAT to eliminate the need for routes.
This will prevent you from having to reboot the firewall each time you need to add a Proxy ARP.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial