If the Check Point automatic ARP feature is required then the VRRP mac address needs to be associated with the Natted IP address in local.arp fileHere are some symptoms that may occur:
1. Traffic is sent to the hide NAT addresses on the backup chassis.
2. The arp on adjacent router is pointing to the physical mac of the circuit on the VRRP backup chassis and not the vrrp mac.
Automatic ARP is a feature from Check Point that enables a Check Point enforcement module to manage the ARP resolution for Natted IP addresses when those addresses are part of the attached subnet.
When using X-Series VRRP this may cause some inconsistency in the ARP table between the members and the real state of VRRP. The issue occurs since the circuit's physical MAC address is used with the NAT IP address.
NOTE: This article is created for Check Point SG versions. For Check Point VSX versions, please refer to article 5053.
Perform the following steps on all the vap members of the vap-group
1. Create a file on the firewalls named local.arp in the $FWDIR\conf directory.
2. Run the following command to identify the VRRP MAC addresses associated to the VRRP IP addresses of the circuits that have NAT enabled:
show vrrp virtual-router
3. In the local.arp file, use the following syntax to enter one line for each NATed IP address followed by [Enter]:
<NAT IP> <VRRP MAC address of external interface of Firewall> <vrrp ip address of the Firewall interface>
126.96.36.199 00:00:5E:00:00:0E 10.2.3.1
The 188.8.131.52 ip represent the NATed IP address
The 00:00:5E:00:00:0E represent the mac-address of the VRRP IP address.
The 10.2.3.1 is the VRRP IP address corresponding to the MAC address above.
4. Save the file after you have entered all of your NAT IP's and associated them with the appropriate MAC.
NOTE: This step forces the firewalls to use the local.arp definition (if it exists) instead of binding to the interface MAC.
5. Once the local.arp file is created on all the vap members, On the SmartCenter go to Policy --> Global Properties --> NAT and select the "Merge manual proxy ARP configuration".
6. Push policy to the firewalls
NOTE: For Check Point VSX versions, please refer to article 5053.