a PC has been connected directly to the USG (simulating that someone wants to reach the destinations in the NAT address pool). USG has 220.127.116.11/24, PC has 18.104.22.168/24.The USG has also a NAT pool configured, containing the address 22.214.171.124. This NAT pool address is not configured on any interface. We ping 126.96.36.199 from the PC to force the PC to send an ARP request.
1) ARP table before ping.
2) ARP table after ping
check if there are drop packet (ARP miss) and increase the counter:
When Internet users send packets to the addresses in the address pool, the FW cannot find matching server-map entries for the packets. Therefore, the FW loops the packets to the router based on the routing table. The router then forwards the received packets to the FW again. As a result, the packets loop between the FW and router. After the time to live (TTL) values in packets decrease to 0, the packets are discarded. If malicious Internet users initiate a large number of connections to addresses in the address pool, the performance of both the FW and router deteriorates.
to not have incomplete arp information and to protect firewall by deteriorating performances:
1) apply black hole routes for all the IP addresses in the NAT pool like this: ip route-static 1.11.100/32 NULL 0
2) Create security policies that deny traffic from untrust -> untrust, with the destination address, the IP`s in the NAT pool. Then the discard reason will not be ARP miss, it will be packet filter discard.