Add proxy arp on Checkpoint SPLAT

January 26, 2012

When doing client side NAT’ing on Checkpoint boxes and using manual NAT creations, IPSO is probably the most straight forward:

  1. Assume you have the NAT rule in the policy
  2. Go to Voyager; add a proxy arp entry

But on SPLAT I found I had to do the following;

  1. Assume you have the NAT rule in the policy
  2. In Dashboard; Global Properties / NAT / Untick ‘Automatic ARP configuration’ – install policy if necessary
  3. SSH to device and enter expert mode
  4. cd $FWDIR/conf ; vi local.arp
  5. Add line in the format 123.123.123.123   AA:BB:CC:DD:EE:FF
  6. Save file
  7. It seems you have to reboot for the system for these changes to be applied

Only now would the device respond to arp requests for that IP address – ie when creating manual NAT.

Have your say