ZuluAlpha,
Step 6 of testing from the Firewall, the only other device in the DMZ on that subnet, did not come back with anything; ICMP is turned off from other networks so I couldn't test outside of that.
JohnP,
Yes, this is a new install, but it has been in place since mid-April.
After learning some about the MSL and some new Linux commands today we finally figured out what was going on; sort of.
So, apparently whenever an MSL based server starts up and before it applies whatever IP Address that is in the configuration file it will perform an arping to determine if that IP Address is in use somewhere else; if the IP Address is in use elsewhere it will assign 0.0.0.0 to the interface instead. So, in order to figure out what was replying to the arping command when the server booted up we performed the following steps from the root account.
1. Set the MSL to another IP on the same subnet via the ifconfig command.
Note: By the way this IP Address will not stay on a reboot of the server as it will clear it out and be replaced by what is in the configuration file; if it can.
2. Used the arping command we got a reply from that IP Address with a MAC Address.
We were then able to determine via the OUI [first three octets of the MAC Address] that the Firewall was returning itself as having that IP Address even though it isn't configured anywhere in it. The odd thing is that the MAC Address that replied to the arping was assigned as the Gateway for the DMZ subnet the MSL was in.
The customer opened up a ticket with Checkpoint to try and figure out why it is doing that.
Thanks,
TE