Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Proxy ARP for Manual NAT – (local.arp file)

Proxy ARP is a mechanism that allows the configuration of a Gateway to respond to ARP requests on behalf of other hosts. For more information about Proxy ARP configuration, see sk30197.

To configure the proxy ARP mechanism on the 61000/41000 Security System:

  1. Add these to $FWDIR/conf/local.arp on the local SGM:
    • The IPs for which the 61000/41000 Security System should answer to ARP requests
    • The respective MAC addresses to be advertised

    Note: The interface VMAC is different between Chassis when working on a Dual Chassis setup. When editing local.arp, MAC values must be taken from the local SGM.

    For example, to reply to ARP requests for IP 192.168.10.100 on interface eth2-01 with MAC address 00:1C:7F:82:01:FE, add the following entry to local.arp:

    192.168.10.100 00:1C:7F:82:01:FE

  2. Distribute the updated local.arp to all SGMs:

    # local_arp_update

    This command distributes local.arp to all SGMs in the system, and automatically changes the MAC values for SGMs on another Chassis.

  3. Enable the Merge manual proxy ARP configuration option in SmartDashboard > Global Properties > NAT.
  4. Install policy to apply the updated proxy ARP entries.

Notes:

  • When you add an SGM to a system with proxy ARP configured, the local.arp file is automatically copied to the new SGM from the SMO.
  • When you change local.arp on a Virtual System, the changes apply to that Virtual System only.
  • Proxy ARP is also required when configuring Connect Control on the 61000/41000 Security System.

Verification:

To make sure that all the entries in local.arp are applied correctly on the system, run:

# asg_local_arp_verifier

To compare the entries manually, run:

# g_fw ctl arp
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print