We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Create Proxy ARP Objects

  • Last updated on

You can configure the Barracuda CloudGen Firewall to answer ARP requests on behalf of a remote interface. It can then accept packets and correctly forward them to the remote host. Proxy ARPs can be treated like additional IP addresses that the firewall responds to when it receives an ARP request. If proxy ARP addresses are in the same address space as the source of a connection request, use them for redirecting and mapping in firewall rule sets. You can also use proxy ARP objects for bridging.

Do not create Proxy ARPs in address spaces where the firewall IP address is configured as the gateway IP address.

You can create a Proxy ARP object as a stand-alone object or in combination with a connection object. However, the proxy ARP object is then dependent on the connection object; if the connection object is deleted, the proxy ARP object is also deleted.

Create a Proxy ARP Object

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. In the left menu, expand the Firewall Objects section and click Proxy ARPs.
  3. Click Lock.
  4. Right-click the main pane and select New.
  5. In the Edit/Create a Proxy ARP Object window, configure the settings for your proxy ARP object:

    • Network AddressEnter a single IP address or a complete network.

    • StandaloneTo let the proxy ARP object exist without a referring object (such as a connection object), select this check box. Otherwise, the proxy ARP object is deleted if the referring object is deleted. The Standalone setting is enabled by default.
    • Primary Network InterfaceInterface that is used when responding to an ARP request. You can either enter a specific network interface (e.g., eth1), or select one of the following options:
      • match (default) – ARP requests are answered via the interface that hosts the network.
      • any – ARP requests are answered via any interface.
    • Additional InterfacesAdditional interfaces that are used when responding to ARP requests. Only enter interfaces that do not conflict with the primary network interface. You can enter a space-delimited list of interfaces.
    • Exclude NetworksNetwork addresses that originate from the network entered in the Network Address field. Enter a space-delimited list of addresses to exclude multiple IP networks.
    • Source Address RestrictionNetwork addresses that must be used as the source IP address when responding to ARP requests. Enter a space-delimited list of source addresses.
    • Introduce Route on InterfaceRead-only field that displays the bridging interface route when using the proxy ARP for bridging. For more information, see Bridging.
    • Send Unsolicited ARPTo configure the firewall to propagate specified IP addresses through ARPs, select this check box. The Send Unsolicited ARP setting is enabled by default.

      Unsolicited ARPs can only be sent if the corresponding network interface has an active IP address. The status of the IP address is only verified when the forwarding firewall starts up, such as during an HA takeover or when the firewall rule set changes. The status of the IP address is not verified if the network interface changes into state "up" or if a pending route becomes active, such as when a server IP address is introduced. In this case, only the Proxy ARP is introduced to answer incoming ARP requests.

      parp.png

  6. Click OK.

  7. Click Send Changes and Activate.
Last updated on