[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

[fw1-gurus] Static NAT limitations



Greetings list,

I recently had cause to peek into a fwd.elg file on an enforcement
point, and found several of the following messages:

>> fwarp_get_arp_interface: no interface found on same subnet as valid
ip address: 198.132.13.94
>> fwarp_make_arp_entry: can't find arp interface for address:
198.132.13.94

The firewall is Checkpoint R65, HFA02 on Nokia, running IPSO 4.2, b96.

There are dozens of these messages, and the IP addresses all match some
object with automatic static NAT configured. They appear on all our
enforcement points, seemingly without regard to whether the enforcement
point is listed in the given NAT's "Install On Gateway" field. All our
enforcement points are managed from the same SmartCenter.

The NATs seem to function just fine, ,and have for years, despite these
log entries. I have a slew (slough?) of similarly configured NATs.

I found the following Checkpoint sk18463, which states in part:

>> FireWall-1 NG must have an interface on the same subnet as the
StaticNAT IP configured.

I've gone back through Dashboard's help files, my FW-1 documentation,
books and notes from training, and I can find no other reference to this
limitation. 

Can anyone address:

- is this in fact a limitation of static NAT?
- is this documented anywhere?
- is the error message purely cosmetic? Or does it reflect a serious
problem, or could other issues arise doe to this config?


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
_______________________________________________
fw1-gurus mailing list
[email protected]
http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com