Add proxy arp on Checkpoint SPLAT | robertomurray.co.uk - blogging, mapping and travelling from a network engineer in UK

Posted January 26, 2012 by rob & filed under Checkpoint.

When doing client side NAT’ing on Checkpoint boxes and using manual NAT creations the process differs between platforms.

IPSO is probably the most straight forward:

Ensure you have the NAT rule in the policy
Go to Voyager; add a proxy arp entry

But on SPLAT I found I had to do the following;

Ensure you have the NAT rule in the policy
In Dashboard; Global Properties / NAT / Untick ‘Automatic ARP configuration’ – install policy if necessary
SSH to device and enter expert mode
cd $FWDIR/conf ; vi local.arp
Add a line with your IP and interface MAC address in the format: 123.123.123.123 AA:BB:CC:DD:EE:FF
Save file
Apply the config by restarting Checkpoint; $host>cpstop && cpstart (Thanks @Levente Szabo for the update)

Only now would the device respond to arp requests for that IP address – ie when creating manual NAT.

One Response to “Add proxy arp on Checkpoint SPLAT”

Levente Szabo

Hey,

Great, straight forward explanation. The only thing I’d like to add is that on SPLAT you don’t need to reboot the FW, cpstop && cpstart is enough..
May 22nd, 2013 Reply

Leave a Reply