No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NAT POOL and INCOMPLETE ARP RECORD

Publication Date:  2017-11-15 Views:  367 Downloads:  0
Issue Description

a PC has been connected directly to the USG (simulating that someone wants to reach the destinations in the NAT address pool). USG has 1.1.1.1/24, PC has 1.1.1.5/24.The USG has also a NAT pool configured, containing the address 1.1.1.100. This NAT pool address is not configured on any interface. We ping 1.1.1.100 from the PC to force the PC to send an ARP request.


1) ARP table before ping.

2) ARP table after ping

 

Handling Process

check if there are drop packet (ARP miss) and increase the counter:

Root Cause

When Internet users send packets to the addresses in the address pool, the FW cannot find matching server-map entries for the packets. Therefore, the FW loops the packets to the router based on the routing table. The router then forwards the received packets to the FW again. As a result, the packets loop between the FW and router. After the time to live (TTL) values in packets decrease to 0, the packets are discarded. If malicious Internet users initiate a large number of connections to addresses in the address pool, the performance of both the FW and router deteriorates.

 

Solution

to not have incomplete arp record and to protect firewall by deteriorating performances:
1) apply black hole routes for all the IP addresses in the NAT pool like this: ip route-static 1.11.100/32 NULL 0
2) Create security policies that deny traffic from untrust -> untrust, with the destination address, the IP`s in the NAT pool. Then the discard reason will not be ARP miss, it will be packet filter discard.

END