FAQ-How Does the USG Respond to ARP Requests

Publication Date:  2015-07-01 Views:  244 Downloads:  0
Issue Description
How Does the USG Respond to ARP Requests?
Solution
When the peer requests for the real IP address of the interface, the firewall replies with the real MAC address of the interface.

When the peer requests for the VRRP virtual IP address, the current active firewall replies with the virtual MAC address corresponding to the VRRP ID, but the standby firewall does not respond.

If the peer requests for the IP address of the NAT address pool, the IP address resides on the same network segment as the IP address of the inbound interface, and NAT is bound to VRRP, the current active firewall replies with the virtual MAC address corresponding to the VRRP ID, but the standby firewall does not respond. If NAT is not bound to VRRP, either the active or the standby firewall replies with the real MAC address of the interface. Therefore, in dual-system hot backup, the NAT address pool must be bound to the VRRP ID of the interface.
    For example, if the destination IP address of the ARP request is an IP address in the NAT address pool, the device will respond.
    Run the nat address-group 1 172.16.16.111 172.16.16.120 command on the USG.
    When the destination IP address of the ARP request is within 172.16.16.111 to 172.16.16.120, both the active and standby devices respond to the request.

If the peer requests for the global IP address of NAT Server, the IP address resides on the same network segment as the IP address of the inbound interface, and NAT is bound to VRRP, the current active firewall replies with the virtual MAC address corresponding to the VRRP ID, but the standby firewall does not respond. If NAT is not bound to VRRP, either the active or the standby firewall replies with the real MAC address of the interface. Therefore, in dual-system hot backup, NAT Server must be bound to the VRRP ID of the interface.
    For example, if the destination IP address of the ARP request is the global IP address of NAT Server, the device will respond.
    Run the nat server global 172.16.16.121 inside 192.168.0.1 command on the USG.
    When the destination IP address of the ARP request is 172.16.16.121, the device responds to the request.

ARP proxy: The USG responds with the real interface MAC address in the following cases: The source IP address resides on the same network segment as the IP address of the inbound interface but on different network segments from the destination IP address. The USG is routable to the destination IP address, and the outbound interface that is routable to the destination IP address differs from the inbound interface of packets from the source IP address.

END