Checkpoint SPLAT Manual Proxy ARP Configuration Example - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Sunday, April 1, 2012

Checkpoint SPLAT Manual Proxy ARP Configuration Example

Checkpoint manual NAT configuration is a quite useful method to remedy the weakness of auto nat . For me, I always mix them according to different scenarios although there are quite discussion which is better in a dispute  CPUG post. Use auto nat as possible as I can when starting projects or network, then slowly to roll out manually NAT when complexity components added.

Here is a recent scenario which manual NAT used. Client need to use to access DMZ sftp server Auto NAT should be able to resolve it in 30 seconds configuration. Unfortunately, sftp server is facing multiple checkpoint firewalls and it has to be nat-ed to another segment as well. So manually nat will be the only choice here.

1. Enable Manual NAT from global properties

2. Create Manual NAT rule

3. Add manual proxy arp entry into local.arp file
echo " AA:BB:CC:DD:EE" >> $FWDIR/conf/local.arp
note: AA:BB:CC:DD:EE is the mac address of your SPLAT firewall interface. If use clustering implementation, all of cluster members local.arp file need to be modified based on member's interface mac address.

4. Push policy to enable NAT rule and merge this manual NAT record into arp table.

5. Verify with fw ctl arp command

[CP-FW]# fw ctl arp
 ( at AA:BB:CC:DD:EE

No comments:

Post a Comment