• October 21, 2017, 01:44:11 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Checkpoint VRRP Proxy ARP issue when using Gaia after migrating from IPSO  (Read 642 times)

0 Members and 1 Guest are viewing this topic.

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 947
Hi Guys,

I found a Gotcha with proxy ARP after migrating from IPSO R77.10 to Gaia R77.30

In IPSO via Voyager (when using VRRP), under ARP Configuration, proxy ARP is configured as follows:
Interface                   MAC Address                  IP Address
User-defined             VRRP MAC of interface    15.65.229.244

When we migrated to Gaia, we similarly configured via the UI the same settings as IPSO but proxy ARP did not work until we configured the 'Real IP Address' to be the VRRP virtual IP address of the interface.

In Gaia via the UI (when using VRRP), you have an additional field:
IP Address                MAC Address/Interface     Real IP Address
15.65.229.244           VRRP MAC of interface     15.65.229.254(VRRP virtual IP address of interface)

Also, in Smartdashboard via Global Properties you need to 'Tick' 'Merge proxy ARP configuration' under NAT and install the policy.  If you don't 'Tick' merge then the Checkpoint firewall will ignore the 'local.arp' file which is used for proxy ARP.

CheerZ


« Last Edit: June 14, 2017, 09:19:56 AM by Flintstone »


Offline TankII

  • Hero Member
  • *****
  • Posts: 539
Thanks.  We were told not to use VRRP during our R77.30 installation due to various bugs.

TankII

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 947
You are correct, there is another bug where VRRP 'Master' and 'backup' will both answer to Proxy ARP requests.  This is fixed in the latest 'Hot Fix'  :)

CheerZ