Next Generation adds the Automatic ARP configuration setting for Static NAT. This setting eliminates the need to create the ARP entry in the firewall operating system. This option is intended to overcome different nuances in the various operating systems on which NG is supported.The function of the ARP entry is to ensure that the router knows the firewall Media Access Control (MAC) address for the next hop in routing a packet.The Automatic ARP feature only works when automatic NAT rules are used. The main reason for maintaining this functionality is when an entity does not have configuration rights on a router connected to a network segment connected with the firewall. This includes an Internet service provider (ISP) or a partner or remote office with connectivity through a dedicated link.
Tools & Traps…
When Does Automatic ARP Not Work?
There are a few scenarios in which Automatic ARP does not work. One such configuration is when Manual NAT rules are used. If you use Manual NAT, you must define the ARP entry within the firewall operating system. Another solution in which Automatic ARP doesn’t work is when a static route on the router is configured to point to the IP of the firewall interface on the connected network. The other scenarios involve issues with operating system compatibility or functionality.
Automatic ARP is not currently supported when a Nokia appliance is used. You must create a manual proxy-only ARP entry. The MAC address to use in creating this entry depends on the configuration. If you are using a single Nokia, use the interface’s MAC address. If you’re using Virtual Router Redundancy Protocol (VRRP), make sure you use the VRRP MAC address.
Windows 2000 presents a few issues. By default, you have an adapter labeled NDISWANIP with no address assigned. This adapter must not exist on the firewall object for Automatic ARP to work. There cannot be an interface without an IP address assigned. You should disable this adapter from the operating system before installing Check Point software. To do so, in Device Manager select View | Show hidden devices. Under Network Adapters you will see an interface, WAN Miniport(IP). Right-click this device and select Disable. In addition to disabling this port, you must make sure Routing and Remote Access is disabled.
In addition to the aforementioned configuration issues, you should be aware of other restrictions:
■ Automatic ARP is not supported in performing Manual NAT.
■ Automatic ARP is not supported on Linux implementations or when SecurePlatform is used (Check Point Knowledge Base Solution sk8022).
■ Automatic ARP is not supported when IP Pool NAT is used (Check Point Knowledge Base Solution sk5751).
When ARP Is Automatic
Provided the operating system is both properly configured and supports Automatic ARP, this feature is available for use. Automatic ARP works only with automatically generated NAT rules, either Static or Hide.The benefit of Automatic ARP is that it eliminates a step in the NAT configuration.This feature works only in Solaris and Windows environments, so it might not necessarily be applicable to the entire audience. (This functionality of this feature on the many currently available appliances is unknown at the time of this writing.)
The command fw ctl arp is used to verify whether the Automatic ARP is working in Windows NT or 2000. The results list the resolved name, IP, MAC, and the interface IP that is advertising this information.
In a Windows 2000 environment, Check Point uses an application programming interface (API) provided by Microsoft for the Automatic ARP to function properly.The FireWall-1 software tells the operating system the IP addresses for which it is responsible in controlling ARP requests. A confusing symptom of this functionality is that when you type arp -a, you will not see the IP(s) listed with a fw ctl arp command. This situation is explained in Check Point Knowledge Base Solution sk13212.
When ARP Is Manual
There are a few different areas in which the ARP entries need to be defined manually. When using Manual ARP in your configuration, it is important that you uncheck Automatic ARP configuration in the Global Properties | NAT page. Making the decision to use Manual ARP or not really depends on your architecture. If the operating system of your FireWall-1 enforcement point does not support this feature, the decision has been made for you.The next contributing factor lies in the administrative control of the router(s) involved. If you do not control the router, you have no choice but to create an ARP entry on the firewall.The commands for creating an ARP entry in the more common operating systems are as follows:
An important consideration to keep in mind is that NAT is not always done solely on the Internet-facing side of the firewall. In some situations, you are using NAT across internally connected networks. In this situation, make sure you use the correct or MAC address from the interface facing the respective router. In some situations, you will not use the physical MAC address but a virtual one.
For example, in a High Availability (HA) configuration, the MAC address to use depends on the solution used for HA. The first consideration is whether you are implementing an active/standby or load-sharing configuration. With ClusterXL, there may be a virtual or physical MAC address serving an interface. In FP3, there are two modes available for HA: New mode, as it is called, or Legacy mode. In Legacy mode, a Unicast MAC address serves a physical IP address; New mode uses a multicast MAC serving a virtual address, the same way that the load-sharing mode works. Earlier NG versions only used the Legacy mode for HA. If you’re using a Nokia configuration, you can use VRRP for active/standby or the new Clustering mode for load sharing. Determine the actual or virtual MAC address needed. In the second consideration; network infrastructure aside, you need to make sure that the router will accept ARP replies in the form used. By default, a Nokia will neither accept multicast ARP replies nor allow a multicast ARP entry to be configured locally.
This topic spent a great deal of time covering ARP and the different methods available in NG FP3.You can make NAT work just fine without configuring any kind of ARP entries. All you need to do is configure a static host route on the router that will be sending out the ARP request. Configure these routes for the NAT IP addresses sending the packet directly to the firewall; after all, that is what the ARP entries are designed to accomplish in your environment.
