Use local.arp entries, if you’re doing manual NAT or the automatic NATed objects are outside the external network.

Check Global Properties -> NAT -> Merge manual proxy ARP configuration, this should be active.

The file local.arp ist located in the directory $FWDIR/conf:

# vi $FWDIR/conf/local.arp

Find the MAC-address of the external interface:

# ifconfig ethx | grep -e Link -e inet
ethx      Link encap:Ethernet  HWaddr AA:BB:CC:DD:EE:FF
          inet addr:  Bcast:  Mask:

Set ethx to the appropriate interfage, e.g. eth1.
Make an entry in the file $FWDIR/conf/local.arp:     AA:BB:CC:DD:EE:FF   # comment
  • create an object for
  • create NAT-Rules (static or in object)
  • push the policy

On the firewall-node execute the following command:

fw ctl arp
servername_if_dns_is_set ( at aa-bb-cc-dd-ee-ff interface

Every time you edit a local.arp-entry, you have to push the policy and check the entry with the fw ctl arp-command again