[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

Re: [fw1-gurus] Static NAT limitations

We had this issue recently. It was because when someone created the NAT
object, it was configured for all gateways instead of the policy which
has that network configured. If you go to the object properties, then
the NAT properties of that object, you can choose "apply to all
gateways" or the gateway which actually has that network configured. If
you change the drop-down to the individual gateway, the message will go

Dameon Welch-Abernathy wrote:
> On Fri, Mar 27, 2009 at 12:50 PM, Dan Lynch <[email protected]> wrote:
>> Greetings list,
>> I recently had cause to peek into a fwd.elg file on an enforcement
>> point, and found several of the following messages:
>>>> fwarp_get_arp_interface: no interface found on same subnet as valid
>> ip address:
>>>> fwarp_make_arp_entry: can't find arp interface for address:
>> The firewall is Checkpoint R65, HFA02 on Nokia, running IPSO 4.2, b96.
>> There are dozens of these messages, and the IP addresses all match some
>> object with automatic static NAT configured. They appear on all our
>> enforcement points, seemingly without regard to whether the enforcement
>> point is listed in the given NAT's "Install On Gateway" field. All our
>> enforcement points are managed from the same SmartCenter.
> Can you delete and re-create the object? Perhaps it got corrupted or something.
> My own bias is to use manual NAT rules and not rely on automatic ARP
> configuration. While it is a little more work, you have a lot more
> granularity in terms of what rules apply in what circumstances.
> -- PhoneBoy
> -- PhoneBoy
> _______________________________________________
> fw1-gurus mailing list
> [email protected]
> http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Michele Chubirka
Senior Information Systems Engineer
Information Systems and Services
George Washington University
fw1-gurus mailing list
[email protected]