[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]
Re: [fw1-gurus] Static NAT limitations
- Subject: Re: [fw1-gurus] Static NAT limitations
- From: Dameon Welch-Abernathy <[email protected]>
- To: FireWall-1 Gurus Mailinglist <[email protected]>
- Date: Sat, 28 Mar 2009 01:42:04 -0700
On Fri, Mar 27, 2009 at 12:50 PM, Dan Lynch <[email protected]> wrote:
> Greetings list,
> I recently had cause to peek into a fwd.elg file on an enforcement
> point, and found several of the following messages:
>>> fwarp_get_arp_interface: no interface found on same subnet as valid
> ip address: 188.8.131.52
>>> fwarp_make_arp_entry: can't find arp interface for address:
> The firewall is Checkpoint R65, HFA02 on Nokia, running IPSO 4.2, b96.
> There are dozens of these messages, and the IP addresses all match some
> object with automatic static NAT configured. They appear on all our
> enforcement points, seemingly without regard to whether the enforcement
> point is listed in the given NAT's "Install On Gateway" field. All our
> enforcement points are managed from the same SmartCenter.
Can you delete and re-create the object? Perhaps it got corrupted or something.
My own bias is to use manual NAT rules and not rely on automatic ARP
configuration. While it is a little more work, you have a lot more
granularity in terms of what rules apply in what circumstances.
fw1-gurus mailing list