Quoting Dan Lynch <DLynch@xxxxxxxxxxxxx>:
Can you delete and re-create the object? Perhaps it got corrupted or something.I could, but the messages appear for most, if not all (I've been unable to check all), objects with an automatic static NAT to a network address that does not match an existing interface address. Just for this reason, it doesn't seem to imply object corruption.My own bias is to use manual NAT rules and not rely on automatic ARP configuration. While it is a little more work, you have a lot more granularity in terms of what rules apply in what circumstances.That may be true, but I'm curious whether this is truly an otherwise undocumented limitation of the Checkpoint firewall product. Does a NAT address *require* an interface in its network range? I don't think so, and no documentation I've found refers to that, yet the cited Checkpoint KB article (sk18463) states that it does:
The SK is wrong. Or perhaps to be more charitable, it's incomplete. If the NAT address is resident on the network that's directly attached AND is the inbound interface of the firewall, then yes, you need an ARP entry.
However I prefer to NAT (Where necessary) using a completely virtual network range. One that only exists IN the firewall itself. The network routing simply ensures that the firewall interface is the next hop to the NAT network. In this way, the previous router is really only interested in the ethernet address of the firewall as the 'next hop'. The fiewall itsefl doesn't care whether the network range exists on the firewall at all. It's completely independent.
H ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com