Detection of IP Address Conflicts

From R81, the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Operating System detects IPv4 address conflicts - if a different device on a directly connected network uses an IPv4 address that belongs to one of the Gaia interfaces.

Example: Gaia interface eth1 has the IPv4 address 10.1.1.1, and some other device on the network connected to eth1 uses the same IPv4 address 10.1.1.1. The device causes an IP address conflict.

Important - The detection of IP address conflicts:

Is disabled by default.
Supports only IPv4 addresses.
Supports only interfaces with an assigned IPv4 address and with the state "on" ("enabled").
Is configured only in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

Configuration in Gaia Clish

Important:

In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

Syntax

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Parameters

CLI Parameters

Command

Description

set ip-conflicts-monitor interface {all | <Name of Interface>}

Specifies the interfaces, on which Gaia monitors for :

all

Detect IP address conflicts (duplicate IP addresses) on all supported interfaces
<Name of Interface>

Detect IP address conflicts on the specified interface only

You can run this command for each applicable interface

Best Practice - Enable this feature only for interfaces connected to your internal networks. If you enable this feature for all interfaces, or for interfaces connected to external networks, this feature generates too many log messages in the /var/log/messages file.

set ip-conflicts-monitor state {off | on}

Enables (on) and disables (off) the feature.

show ip-conflicts-monitor interfaces

Shows the interfaces, on which Gaia detects IP address conflicts.

show ip-conflicts-monitor state

Shows the current state of the feature (off or on).

delete ip-conflicts-monitor interfaces {all | <Name of Interface>}

Specifies the interfaces, on which Gaia stops to detect IP address conflicts:

all

Stop to detect IP address conflicts on all supported interfaces
<Name of Interface>

Stop to detect IP address conflicts on the specified interfaces only

Log Messages

After you enable and configure this feature, it generates one of these messages in the /var/log/messages file:

Log Message	Description
`new station`	Gaia detected a new MAC address on a directly connected network and a new IP address is assigned to that MAC address.
`changed ethernet address`	Gaia detected that an IP address stored in the binding database is assigned to a new MAC address on a directly connected network.
`flip flop`	The second recent binding of a MAC address to an IP address is currently the most recent binding in the binding database. This potentially indicates an IP address conflict on the network.
`reused old ethernet address`	The third (or older) recent binding of a MAC address to an IP address is currently the most recent binding in the binding database. This very likely indicates a 3-way (or greater) IP address conflict.

To see the applicable log messages:

Step

Instructions

Connect to the command line.

Run:

grep "arpwatch:" /var/log/messages*

Example:

[Expert@MyGaia:0]# grep "arpwatch:" /var/log/messages*
Aug  3 19:23:16 2020 MyGaia arpwatch: listening on eth0
Aug  3 19:23:16 2020 MyGaia arpwatch: new station 192.168.3.51 00:50:56:a3:73:26
Aug  3 19:23:17 2020 MyGaia arpwatch: new station 192.168.3.29 00:50:56:a3:68:60
... ... (truncated for brevity) ... ...
[Expert@MyGaia:0]#

Additional Information

The detection of IP address conflicts is based on the Linux arpwatch tool.
When you enable this feature, Gaia runs the /bin/arpwatch_launcher daemon. This daemon is responsible to run the /etc/rc.d/init.d/arpwatch service.
Gaia saves the applicable configuration in the Gaia database and in the /etc/sysconfig/arpwatch file.

Gaia generates the /etc/sysconfig/arpwatch file automatically.
Gaia saves the MAC-to-IP address binding information in the /var/lib/arpwatch/arp.dat.<Name of Interface> file.

The information includes:
- The detected MAC address
- The IP address assigned to that MAC address
- The time of detection (in Unix epoch format)
It can take several minutes for Gaia to populate this database.