Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Proxy ARP for Manual NAT – (local.arp file)

Proxy ARP is a mechanism that allows the configuration of a Gateway to respond to ARP requests on behalf of other hosts. For a complete documentation regarding Proxy ARP configuration please refer to sk30197.

To configure the proxy ARP mechanism on the 61000/41000 Security System:

  1. Add any IPs for which the 61000/41000 Security System should answer to ARP requests and the respective MAC addresses to be advertised to the $FWDIR/conf/local.arp file on the local SGM.

    Note: Interface VMAC value is different between Chassis when working on a Dual Chassis setup. When editing the local.arp file, MAC values should be taken from the local SGM.

    For example, in order to reply to ARP requests for IP 192.168.10.100 on interface eth2-01 with MAC address 00:1C:7F:82:01:FE, add the following entry to the local.arp file:

    192.168.10.100 00:1C:7F:82:01:FE

  2. Execute the command local_arp_update on the SGM with the updated file in order to distribute it among all the SGMs in the system. That command distributes the local.arp file to any SGM in the system, automatically changes the MAC values for SGMs on another Chassis.
  3. Enable the Merge manual proxy ARP configuration option in SmartDashboard > Global Properties > NAT.
  4. Install policy to apply the updated proxy ARP entries

Notes:

  • When you add an SGM to a system with proxy ARP configured, the local.arp file is automatically copied to the new SGM from the SMO.
  • Proxy ARP is also required when configuring Connect Control on the 61000/41000 Security System.

Verification:

In order to verify that all the entries in local.arp file are applied correctly on the system run asg_local_arp_verifier. Manual comparison can be done by running g_fw ctl arp.

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print