It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Create Proxy ARP Objects

  • Last updated on

You can configure the Barracuda CloudGen Firewall to answer ARP requests on behalf of a remote interface. It can then accept packets and correctly forward them to the remote host. Proxy ARPs can be treated like additional IP addresses that the firewall responds to when it receives an ARP request. If proxy ARP addresses are in the same address space as the source of a connection request , use them for redirecting and mapping in firewall rule sets. You can also use proxy ARP objects for bridging.

Do not create Proxy ARPs in address spaces where the firewall IP address is configured as the gateway IP address.

You can create a Proxy ARP object as a stand-alone object or in combination with a connection object. However, the proxy ARP object is then dependent on the connection object; if the connection object is deleted, the proxy ARP object is also deleted.

Create a Proxy ARP Object

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. In the left menu, expand the Firewall Objects section and click Proxy ARPs.
  3. Click Lock.
  4. Right-click the main pane and select New.
  5. In the  Edit/Create a Proxy ARP Object window, configure the settings for your proxy ARP object:

    • Network Address Enter a single IP address or a complete network.

    • Standalone To let the proxy ARP object exist without a referring object (such as a connection object), select this check box. Otherwise, the proxy ARP object is deleted if the referring object is deleted. The Standalone setting is enabled by default.
    • Primary Network Interface Interface that is used when responding to an ARP request. You can either enter a specific network interface (e.g., eth1), or select one of the following options:
      • match (default) – ARP requests are answered via the interface that hosts the network.
      • any – ARP requests are answered via any interface.
    • Additional Interfaces Additional interfaces that are used when responding to ARP requests. Only enter interfaces that do not conflict with the primary network interface. You can enter a space-delimited list of interfaces.
    • Exclude Networks Network addresses that originate from the network entered in the Network Address field. Enter a space-delimited list of addresses to exclude multiple IP networks.
    • Source Address Restriction Network addresses that must be used as the source IP address when responding to ARP requests. Enter a space-delimited list of source addresses.
    • Introduce Route on Interface Read-only field that displays the bridging interface route when using the proxy ARP for bridging. For more information, see Bridging .
    • Send Unsolicited ARP To configure the firewall to propagate specified IP addresses through ARPs, select this check box. The Send Unsolicited ARP setting is enabled by default.

      Unsolicited ARPs can only be sent if the corresponding network interface has an active IP address. The status of the IP address is only verified when the forwarding firewall starts up, such as during an HA takeover or when the firewall rule set changes. The status of the IP address is not verified if the network interface changes into state "up" or if a pending route becomes active. In this case, only the Proxy ARP is introduced to answer incoming ARP requests.

      parp.png

  6. Click OK.

  7. Click Send Changes and Activate.