How a local.arp may be ignored
It’s possible when you transfer text files between Linux and Windows with FTP and edit the files on both operating systems the text file will end up with non-printable characters. When opening such a file on a Linux OS like Gaia you will not see those non-printable characters. If this happens to a Check Point configuration file you may end up pulling your hair out because of weird issues that occur. But the solution will be simple since there is no need to contact Check Point TAC for investigation after all.
So what is exactly the issue here? It’s all about EOL. Not End of Life, but End of Line. Popular Operating Systems like Windows and Linux do not use the same code for EOL. Windows uses CRLF and Linux uses only LF. CR stands for Carriage Return and LF stands for Line Feed. Crucial thing to note here is that Windows adds an extra code for EOL. And there is a big chance you use Windows too since you’re a Check Point engineer and need to have SmartConsole installed on a Windows OS. More information about EOL can be found on Wikipedia.
I have a real example for you that happened to me when replacing a VSX node that had hardware issues. More information about how to replace a VSX node is described in sk101515. In that SK you’ll be instructed to restore files like fwkern.conf and local.arp. The file local.arp is typically a file you do not want to restore as-is because the MAC-addresses have changed when replacing a VSX node. Therefore you need to replace the MAC-addresses in the local.arp file with the correct ones from the new VSX node. If you have the file in Windows and opened it with Notepad++ it will convert the EOL to Windows coding. Super useful right? Yes and no. At this time you’ll have an extra EOL code that is not used in Linux. It’s also not visible when opening the file (when it is transferred back to the firewall) with commands like vi or cat:
[Expert@FW01:0]# cat local.arp 10.3.17.25 00:12:C1:AE:B3:00 10.3.17.26 00:12:C1:AE:B3:00 10.3.17.27 00:12:C1:AE:B3:00 10.3.17.28 00:12:C1:AE:B3:00 10.3.17.29 00:12:C1:AE:B3:00 10.3.17.30 00:12:C1:AE:B3:00
File seems to be OK, right? Push the firewall policy now and you’ll see these ARP entries aren’t there.
How do you make those non-printable characters visible? Simply use the -A option of the command cat, for example:
[Expert@FW01:0]# cat -A local.arp 10.3.17.25 00:12:C1:AE:B3:00^M$ 10.3.17.26 00:12:C1:AE:B3:00^M$ 10.3.17.27 00:12:C1:AE:B3:00^M$ 10.3.17.28 00:12:C1:AE:B3:00^M$ 10.3.17.29 00:12:C1:AE:B3:00^M$ 10.3.17.30 00:12:C1:AE:B3:00^M$
At the end of each line you see ^M$. The ^M (CTRL-M) is the CR that was added when editing the file within Windows. If you would have pushed the firewall policy the entries in local.arp will be ignored. So, how do you get rid of the ^M in a easy way? Use the tool dos2unix for that:
[Expert@FW01:0]# dos2unix local.arp
When you view the file again you’ll see that ^M is removed.
[Expert@FW01:0]# cat -A local.arp 10.3.17.25 00:12:C1:AE:B3:00$ 10.3.17.26 00:12:C1:AE:B3:00$ 10.3.17.27 00:12:C1:AE:B3:00$ 10.3.17.28 00:12:C1:AE:B3:00$ 10.3.17.29 00:12:C1:AE:B3:00$ 10.3.17.30 00:12:C1:AE:B3:00$
Push the firewall policy (again) and you’ll see that local.arp is now loaded (when issuing fw ctl arp -n). Another problem solved.
