How to add NATs and ARPs on Gaia with VRRP

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services

Contents

add NAT rules

Step 1 - Add automatic or manual static NATs in the ruleset as normal.

configuring proxy ARP

Automatic arp is not compatible with firewalls using VRRP for HA. This is because Automatic arp is meant for CPHA or standalone firewalls. It publishes unicast MACs, whereas VRRP operates with multicast MACs.

Step 2 - Disable Automatic ARP in your policy (global properties, NAT) if it isn't already

2) Set up manual proxy ARPs for all your NAT IPs. Use the VRRP MAC for these.

configure manual proxy ARPs on Gaia by adding an entry to the file /etc/fw/conf/local.arp

where the entry format is

nat_ip vrrp_mac firewall_unicast_interface_ip


example entry

192.168.100.100 00:00:5e:00:01:0A 192.168.100.1

the proxy arp will take effect upon the next policy installation


Determining you firewall's VRRP MAC

[Expert@mygaiafw]# clish -c "show vrrp interfaces" |  grep -m 1 VMAC 
           VMAC Mode:                VRRP                 VMAC:                     00:00:5e:00:01:0a 

so 00:00:5e:00:01:0a is the VRRP MAC or VMAC. It is determined by the formula...

VMAC = 00:00:5e:00:01:XX, where XX = your VRRP VRID in HEX


verifying proxy arps

to make sure the firewall is publishing your newly added proxy arp, run...

# fw ctl arp 

you should see the new entry in the output