No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.



Publication Date:  2019-07-11 Views:  736 Downloads:  0

Issue Description

a PC has been connected directly to the USG (simulating that someone wants to reach the destinations in the NAT address pool). USG has, PC has USG has also a NAT pool configured, containing the address This NAT pool address is not configured on any interface. We ping from the PC to force the PC to send an ARP request.

1) ARP table before ping.

2) ARP table after ping


Handling Process

check if there are drop packet (ARP miss) and increase the counter:

Root Cause

When Internet users send packets to the addresses in the address pool, the FW cannot find matching server-map entries for the packets. Therefore, the FW loops the packets to the router based on the routing table. The router then forwards the received packets to the FW again. As a result, the packets loop between the FW and router. After the time to live (TTL) values in packets decrease to 0, the packets are discarded. If malicious Internet users initiate a large number of connections to addresses in the address pool, the performance of both the FW and router deteriorates.



to not have incomplete arp information and to protect firewall by deteriorating performances:
1) apply black hole routes for all the IP addresses in the NAT pool like this: ip route-static 1.11.100/32 NULL 0
2) Create security policies that deny traffic from untrust -> untrust, with the destination address, the IP`s in the NAT pool. Then the discard reason will not be ARP miss, it will be packet filter discard.