I do not know if some of you have had such a problem with Checkpoint Firewall, but every time a Manual Nat rule needs to be created, some administrators usually have this kind of problem.

In the SK30197 there are some links about Proxy ARP

Configuration Steps:

This configuration is based on two steps:    00:B4:F3:A8:C1:33


A brief summary of “vi” editor

To access command mode in VI, press ESC

i – Insert text before cursor

a – Insert text after cursor

r – Insert text in the beginning of the cursor line

A – Insert text in the end of the cursor line

o – Insert a line below the cursor line

O – Insert a line above the cursor line

X – delete the current character

To Save the file: ESC :wq


    Single Gateway

IP of the published host         MAC-Address of the External Interface


Let´s consider the topology

Create the Objects

Firewall External ip address

FTP Server

Create before Sthealth rule a rule allowing ftp access to the gateway (In this example, we only have two public ips)

In Nat Tab, create a manual nat rule, publishing FTPServer

In Smartdashboard à Policy à Global Properties

In NAT section à Check the option “Merge manual proxy ARP configuration”

Automatic ARP Configurationis enabled by default – it ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Security Gateway.

Merge manual proxy ARP configuration merges the Automatic and Manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the $FWDIR/conf/local.arp file, and ‘Automatic ARP configuration‘ is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NATed IP address appears in both), then the manual configuration is used.

If ‘Automatic ARP configuration‘ is enabled, but ‘Merge manual proxy ARP configuration‘ option is not enabled, then the Security Gateway ignores the entries in the$FWDIR/conf/local.arp file.

Check the box “Translate destination on client side“.

Translate destination on client side is enabled by default – it applies to packets originating at a Client, with the Server as its destination. Static NAT for the server is performed on the Client side of the Security Gateway.


Cluster Configuration

In a cluster configuration the sintax of local.arp file changes like below:

IP_address_of_Host_1_that_should_be_published MAC_address_of_member’s_physical_interface_on_External_network IP_address_of_member’s_physical_interface_on_External_network


For more information about cluster configuration, I highly recommend to read the sk30197.



If Proxy ARP fails consider read the SK 25851