[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

Re: [fw1-gurus] Static NAT limitations

On Fri, Mar 27, 2009 at 12:50 PM, Dan Lynch <[email protected]> wrote:
> Greetings list,
> I recently had cause to peek into a fwd.elg file on an enforcement
> point, and found several of the following messages:
>>> fwarp_get_arp_interface: no interface found on same subnet as valid
> ip address:
>>> fwarp_make_arp_entry: can't find arp interface for address:
> The firewall is Checkpoint R65, HFA02 on Nokia, running IPSO 4.2, b96.
> There are dozens of these messages, and the IP addresses all match some
> object with automatic static NAT configured. They appear on all our
> enforcement points, seemingly without regard to whether the enforcement
> point is listed in the given NAT's "Install On Gateway" field. All our
> enforcement points are managed from the same SmartCenter.

Can you delete and re-create the object? Perhaps it got corrupted or something.

My own bias is to use manual NAT rules and not rely on automatic ARP
configuration. While it is a little more work, you have a lot more
granularity in terms of what rules apply in what circumstances.

-- PhoneBoy
-- PhoneBoy
fw1-gurus mailing list
[email protected]