We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Create Proxy ARP Objects

  • Last updated on

You can configure the Barracuda NextGen Firewall F-Series to answer ARP requests on behalf of a remote interface. It can then accept packets and correctly forward packets to the remote host. Proxy ARPs can be treated like additional IP addresses that the firewall responds to when it receives an ARP request. If proxy ARP addresses are in the same address space as the source of a connection request, use them for redirecting and mapping in firewall rule sets. You can also use proxy ARP objects for bridging.

You can create a Proxy ARP object as a standalone object or in combination with a connection object. However, the proxy ARP object is then dependent on the connection object; if the connection object is deleted, the proxy ARP object is also deleted.

Create a Proxy ARP Object

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. In the left menu, expand the Firewall Objects section and click Proxy ARPs.
  3. Click Lock.
  4. Right-click the main pane and select New.
  5. In the Edit/Create a Proxy ARP Object window, configure the settings for your proxy ARP object:


    Network Address

    Enter a single IP address or a complete network.


    To let the proxy ARP object exist without a referring object (such as a connection object), select this check box. Otherwise, the proxy ARP object is deleted if the referring object is deleted. The Standalone setting is enabled by default.

    Primary Network Interface

    Interface that is used when responding to an ARP request. You can either enter a specific network interface (e.g., eth1), or select one of the following options:

    • match (default) ARP requests are answered via the interface that hosts the network.
    • any ARP requests are answered via any interface.

    Additional Interfaces

    Additional interfaces that are used when responding to ARP requests. Only enter interfaces that do not conflict with the primary network interface. You can enter a space-delimited list of interfaces.

    Exclude Networks

    Network addresses that sare from the network entered in the Network Address field. Enter a space-delimited list of addresses to exclude multiple IP networks.

    Source Address Restriction

    Network addresses that must be used as the source IP address when responding to ARP requests. Enter a space-delimited list of source addresses.

    Introduce Route on Interface

    Read-only field that displays the bridging interface route when using the proxy ARP for bridging.

    For more information, see Bridging.

    Send Unsolicited ARP

    To configure the firewall to propagate specified IP addresses through ARPs, select this check box. The Send Unsolicited ARP setting is enabled by default.

    Unsolicited ARPs can only be sent if the corresponding network interface has an active IP address. The status of the IP address is only verified when the forwarding firewall starts up, such as during an HA takeover or when the firewall rule set changes. The status of the IP address is not verified if the network interface changes into state "up" or if a pending route becomes active, such as when a server IP address is introduced. In this case, only the Proxy ARP is introduced to answer incoming ARP requests.


  6. Click OK.

  7. Click Send Changes and Activate.
Last updated on