Static PAT and Proxy ARP in Check Point R75


If you’re trying to configure a Static PAT/Port forwarding rule in Check Point and if it still isn’t working, then this post will help you to understand the reason behind it and also what additional configuration will be required to get it to work.

Adding  a Static PAT/Port forwarding rule in Check Point is one hell of a task because Auto NAT in Check Point doesn’t allow you to specify any ports (unlike Cisco ASA’s Auto NAT post 8.3), so you have to use Manual NAT here . And to make that work you’ll also have to configure Static ARPs on the firewall.

The reason for manually configuring the ARP entry is because, when you use a Manual NAT to configure a Static PAT rule, the external interface of the firewall does not proxy ARP if the NAT IP (public IP) used for the internal server belongs to the connected subnet with your ISP.

As you can see in the diagram below, the NAT IP 1.1.1.3 to be used for the internal web server belongs to the connected subnet 1.1.1.0/24 between the firewall and the ISP edge router, so the firewall’s external interface will not Proxy ARP for any of the IPs in that subnet.

Network Diagram

There are two solutions to this problem:-

1. Manually configure ARP entries on the firewall for each additional Public IP that you will use from the connected subnet for your servers.

2. Ask your ISP to point host routes towards your firewall for every public IP that you will be using for your servers. The /32 routes need to be statically routed over the same connected subnet.

Solution 1 – Manually configuring ARP entry on the firewall

Configuration for Check Point SPLAT device:-

Login into the expert mode:

[gw1]# expert
Enter expert password: 
You are in expert mode now.
[Expert@gw1]#

Adding a Static ARP entry:

[Expert@gw1]# /sbin/arp –s 1.1.1.3 00:0c:29:62:4c:67 pub

Deleting a Static ARP entry:

[Expert@gw1]# /sbin/arp –d 1.1.1.3

Looking up the ARP table:

[Expert@gw1]# /sbin/arp
Address           HWtype     HWaddress              Flags  Mask   Iface
192.168.2.99      ether      00:50:56:C0:00:09      C             eth3
1.1.1.3           ether      00:0C:29:62:4C:67      MP            eth0

Adding the ARP entry to the local.arp file to retain the entries even after the device is rebooted.

vi /$FWDIR/conf/local.arp
i
1.1.1.3 00:0c:29:62:4c:67

:wq

Configuration for a Nokia box:-

Access the Voyager GUI > Config > ARP > add the ARP entry and select ‘Proxy Only’ type.

SmartDashboard Configuration:-

After adding the ARP entry in the Security Gateway, you also need to merge the manual ARP configuration with the ARPs automatically learnt by the firewall.

SmartDashboard > Policy > Global Properties > NAT > Check – Merge manual proxy ARP configuration

Global properties for ARP
Global properties for ARP

Once the ARP entry has been added you can configure the Manual NAT to perform the required PAT/Port forwarding.

SmartDashboard > NAT > Configure the Manual NAT (Nodes were already configured)

Manual NAT
Manual NAT

Solution 2 – Static route on the ISP’s edge router

This is actually considered to be an ideal solution as you don’t have to mess with the ARP entries in the firewall.

vyatta@Internet:~$ show ip route | match 1.1.1
C>* 1.1.1.0/24 is directly connected, eth0
S>* 1.1.1.3/32 [1/0] via 1.1.1.1, eth0

If you have the ISP adding host routes pointing to your firewall, then you need not add those static ARP entries.

Here’s more Check Point stuff that might interest you > https://networkology.net/tag/checkpoint/

Advertisements

11 thoughts on “Static PAT and Proxy ARP in Check Point R75

  1. Hello,

    I found your post very interesting. I have one question: Can you confirm this problem only concerns the external interface ?
    I performed some tests with Auto/Manual NAT, with traffic initiated from internal Interfaces, it seems to working correctly.

    Thks !

  2. Hey Romain,

    I had tried this in my virtual lab, specifically for traffic initiated from the external interface and this was done on R75 SPLAT image. I cannot guarantee that this behavior is the same across all platforms and newer versions.

    Thanks,
    Shoaib

  3. Hello swibawa,

    Apologies for the late response. For some reason your comment landed up in the spam folder.
    That MAC address is of the outside (ISP facing) interface of the firewall.

    Regards,
    Shoaib

  4. Hello Shoaib

    Can i get to know more aout anti-spoofing in checkpoint and how t configure networks in each interface for allowing or denying IP’s

  5. Hello Mohan

    Anit-spoofing in Check Point is the same as what you know about it in other products. The only thing is that you have to manually configure anti-spoofing in Check Point, whereas, if you take Cisco ASA as an example, when you configure routes, anti-spoofing is automatically enabled for that subnet. Cisco also has a similar feature called uRPF if you want to manually configure anti-spoofing.

    The way to configure anti-spoofing is to go in the topology section of the gateway, edit the topology, select the interface you want to configure anti-spoofing on, ensure you have pre-created groups/objects of the subnet you want to specifically allow under anti-spoofing, and then refer the network objects/groups under the allowed list. Anything that isn’t listed will be denied.

    Sorry for the late response. I’ve been quite busy lately. :)

    Regards,
    Shoaib

  6. Hi,

    your posts are very useful, can you please explain Manual Nat for internal users to connect to internet on checkpoint firewall?

  7. Hi Shoiab,

    I was curious to ask, do we still need proxy arp in the higher versions let’s say for. R77 irrespective of the nat types/rules.

    Is it possible to add one of the internal address such if the requests is for internal address external interface IP can proxy on behalf to let the host know if it’s reachable via its interface.

    Hope I was able to convey my question correctly… Thanks

  8. I can confirm the same behavior even in R80.10.
    Had to check ‘Merge manual proxy ARP configuration’ to force the firewall to respond to ARP queries.
    Without this option being checked, the firewall was showing the ARP entry in the configuration as well as the output of ‘show arp proxy all’, however, wasn’t answering the ARP requests.
    Cheers!

  9. Hey Ans,

    I tested this long back and it was only tested for Static PAT, and at that point of time I didn’t test any other NAT types for this behavior. I recently tested Static NAT and it doesn’t have this issue. And as per Japinder’s comment it seems Static PAT still works the same. :)

    Regards,
    Shoaib

  10. Hey Japinder,

    Thanks for testing it out! So you too tested with a Static PAT right? Let me test it again sometime soon and revert back with my findings. I have R77 at the moment in my lab.

    Regards,
    Shoaib

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s