The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Proxy ARPs in Windows NT

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


I'm trying to use arp commands in Windows NT for address translation. After a while, they appear to 'disappear' from the system. Not only that, they don't always appear to work. What's wrong?


If you are using the NG release of FireWall-1, enable "Automatic ARP Configuration" in the Global Properties, Network Address Translation tab if you are using automatic NAT rules. If not or if this fails for some reason, then we will need to configure local.arp on the NT firewall. Let's use the network described in the Q&A entry Routing and ARP issues with NAT:

    Our network
       a|              ---------                   --------      ----
       l|| Fire    |      |        |    |CSU |       MCI
        |-------------|         |-----------------| Router |----|    |----------
       N|         le0 | Wall    | be0             |        |    |DSU |
       e|             |_________|                 |________|    |____|     
    126 | 
      . |       --------
      0 |------|Web serv|
      . |       --------
     10 |
      . |       ----
      0 |------|FTP |
        |       ---- 
        |       -----
        |------|Mail |
        |       -----

Suppose that the web server's translated address is and the MAC address of the external interface on the firewall is 08:00:20:76:ea:77. On a UNIX platform, we would add an ARP request to the firewall machine as follows:

    arp -s 08:00:20:76:ea:77 pub

This ARP message causes the firewall to respond to TCP/IP packets addressed to, which allows these packets to get to the firewall. The firewall then takes packets addressed to and re-routes them to thru the internal interface of the firewall.

In Windows NT, the 'arp' command will not function in this manner. Version 2.1c and later of FireWall-1 will do the proxy arps for you. You must create a file called %FWDIR%\state\local.arp (case matters!), which is formatted as follows:

    translated_ip_address    mac_address

In the example above, this file would contain:    08-00-20-76-ea-77

Once you've set this file up, you will need to re-install the current rulebase.

Note that you must have a NAT rule configured for local.arp to work.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.