[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

Re: [fw1-gurus] Static NAT limitations



Typically you get that error message when you have an automatic NAT, auto arp enabled, and the firewall does not have an interface on that network. You cannot arp for an address that does not belong to the same ip subnet, the Check Point software cannot generate an auto arp in this scenario. 

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Dan Lynch" <[email protected]>

Date: Mon, 30 Mar 2009 09:04:46 
To: FireWall-1 Gurus Mailinglist<[email protected]>
Cc: <[email protected]>
Subject: Re: [fw1-gurus] Static NAT limitations


> Can you delete and re-create the object? Perhaps it got 
> corrupted or something.

I could, but the messages appear for most, if not all (I've been unable
to check all), objects with an automatic static NAT to a network address
that does not match an existing interface address. Just for this reason,
it doesn't seem to imply object corruption.

> My own bias is to use manual NAT rules and not rely on automatic ARP
> configuration. While it is a little more work, you have a lot more
> granularity in terms of what rules apply in what circumstances.

That may be true, but I'm curious whether this is truly an otherwise
undocumented limitation of the Checkpoint firewall product. Does a NAT
address *require* an interface in its network range? I don't think so,
and no documentation I've found refers to that, yet the cited Checkpoint
KB article (sk18463) states that it does: 

>> FireWall-1 NG must have an interface on the same subnet as the
>> StaticNAT IP configured.

> If you go to the object properties, then
> the NAT properties of that object, you can choose "apply to all
> gateways" or the gateway which actually has that network 
> configured.

In this case, the message appears regardless of the "apply to gateway"
setting. Even so, there is no interface in the network referenced in the
object's automatic static NAT. My question is whether that's a
requirement. If so, I can't find it documented anywhere else but the
above referenced sk18463.


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: [email protected] 
> [mailto:[email protected]] On Behalf Of 
> Dameon Welch-Abernathy
> Sent: Saturday, March 28, 2009 1:42 AM
> To: FireWall-1 Gurus Mailinglist
> Subject: Re: [fw1-gurus] Static NAT limitations
> 
> On Fri, Mar 27, 2009 at 12:50 PM, Dan Lynch 
> <[email protected]> wrote:
> > Greetings list,
> >
> > I recently had cause to peek into a fwd.elg file on an enforcement
> > point, and found several of the following messages:
> >
> >>> fwarp_get_arp_interface: no interface found on same 
> subnet as valid
> > ip address: 198.132.13.94
> >>> fwarp_make_arp_entry: can't find arp interface for address:
> > 198.132.13.94
> >
> > The firewall is Checkpoint R65, HFA02 on Nokia, running 
> IPSO 4.2, b96.
> >
> > There are dozens of these messages, and the IP addresses 
> all match some
> > object with automatic static NAT configured. They appear on all our
> > enforcement points, seemingly without regard to whether the 
> enforcement
> > point is listed in the given NAT's "Install On Gateway" 
> field. All our
> > enforcement points are managed from the same SmartCenter.
> 
> Can you delete and re-create the object? Perhaps it got 
> corrupted or something.
> 
> My own bias is to use manual NAT rules and not rely on automatic ARP
> configuration. While it is a little more work, you have a lot more
> granularity in terms of what rules apply in what circumstances.
> 
> -- PhoneBoy
> -- PhoneBoy
> _______________________________________________
> fw1-gurus mailing list
> [email protected]
> http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com
> 
_______________________________________________
fw1-gurus mailing list
[email protected]
http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com
_______________________________________________
fw1-gurus mailing list
[email protected]
http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com