VIP needs "Config Firewall VIP / Set arp-reply enable before it will operate.

Forum|Forum|7 years ago
June 22, 2018
1 reply
9878 views

Hi All,

New 500E cluster running 5.4.8. Running VDOMS.

We migrated from a Checkpoint to Fortigate last night. The Fortigate had 2 VIPs with the interfaces all disabled.

Checkpoint was shutdown. Fortigate interfaces enabled.

The VIPs NAT to some web servers. I could not see any traffic hit the fortigate when I was generating it on my phone to our webservers. In order for the VIP to start working I had to "set arp-reply enable" on the VIP then all started working!

I know that VIP should respond to ARP by default and only if you was to disable it you can do so.

I am confused as to why I had to enable this on the VIP as in all my prior deployments of Fortigate I have never needed to do this.

Toshi_Esumi

SuperUser

What version is it? I tested with my 50E w/ 5.6.4. As soon as I created a new VIP, arp-reply was enabled. You might want to open a ticket with TAC.

fg50e # config firewall vip fg50e (vip) # edit testVIP1 new entry 'testVIP1' added fg50e (testVIP1) # get name : testVIP1 id : 0 uuid : e99c3462-76b4-51e8-0338-ca066d462749 comment : type : static-nat src-filter : service : extip : 0.0.0.0 extintf : arp-reply : enable <--- nat-source-vip : disable portforward : disable gratuitous-arp-interval: 0 srcintf-filter : color : 0 mappedip :

ede_pfau

SuperUser

Same situation here with v5.4.9 on a 60E, arp enabled by default.

dkraljevich

New Member

Hello, as I understand in the milestone of that case, it says that arp reply is enabled by default, according to the following kb from 5.4.x it is by default.

https://kb.fortinet.com/k....do?externalID=FD38566

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded