<\/span><\/h3>\nTo add a proxy arp entry use the following syntax:<\/p>\n
\/sbin\/arp \u2013s [NAT IP] [MAC Address] pub<\/pre>\nTo ensure that the proxy ARP is republished post reboot create a file called $FWDIR\/conf\/local.arp. In this file add the following:<\/p>\n
[NAT IP] [MAC Address]<\/pre>\n<\/span>4. Server Side NAT<\/strong><\/span><\/h3>\nIf you are using Server Side NAT you will need to add an additional route (as explained in Section 2).<\/p>\n
The syntax to add this route is detailed below:
\nPlease Note <\/strong><\/em>: The “route –save” command will ensure that the routes are reloaded post reboot.<\/p>\n\/sbin\/route add \u2013host [NAT IP] gw [Real IP \/ Next Hop IP]\r\nroute \u2013save<\/pre>\n<\/span>5. Gotcha\u2019s<\/strong><\/span><\/h3>\n<\/span>Client Side NAT still requires a route<\/strong><\/span><\/h4>\nThis is by far the biggest gotcha. After adding your proxy ARP entry and using a Client Side NAT setup you may find that your Check Point device is still not replying to the ARP requests for your pre-translated address. There are 2 ways to resolve this issue:<\/p>\n
\n- Add a route for the pre-translated address for each of your Proxy ARP entries (as detailed within Section 4).<\/li>\n
- In addition to the setting \u201cTranslate destination on Client Side\u201d within Global Properties | NAT being enabled. Enable the setting \u201cAllow bi-directional NAT\u201d and then reboot your Check Point device. Note :<\/strong><\/em> When using SPLAT you MUST be reboot after enabling \u201cAllow bi-directional NAT\u201d.<\/li>\n<\/ol>\n
<\/span>Removing a Node from a Cluster<\/strong><\/span><\/h4>\nIf you have detached a node from a cluster and have not disabled the nodes cluster membership in cpconfig, you may find that your Proxy ARP`s are shown in `fw ctl arp` but the firewall still doesn\u2019t reply to the ARP requests. As mentioned, go into cpconfig and disable the cluster membership.<\/p>\n
<\/span>IPSO to SPLAT migrations<\/strong><\/span><\/h4>\nYou may find you convert all the Proxy ARPs and the routes then migrate over the SPLAT device but your traffic still fails to work. This can be down to the way in which IPSO (BSD) publishes its Proxy ARP`s. Due to it publishing them within its routing table this can result in IPSO not requiring routes for the pre-translated addresses, then causing a problem when changing operating systems.
\nWith this you can either create your routes (from grepping the routing table for MAC addresses and then converting them into routes (the sed tool is great for this)) or use my last gotcha to enable Client Side and bi-dir NAT to eliminate the need for routes.
\nThis will prevent you from having to reboot the firewall each time you need to add a Proxy ARP.<\/p>\n","protected":false},"excerpt":{"rendered":"
This guide attempts to explain Proxy ARP upon the Check Point SPLAT platform. 1. What is Proxy ARP ? There are 2 ways to get a packet to a device. Route the packet to the device. Add a proxy ARP entry so that the network host answers to the ARP queries for IP addresses not … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[],"yoast_head":"\nProxy ARP \u2013 SPLAT - Fir3net<\/title>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n