Description | This article describes why FortiGate blocks reverse packets with a 'drop broadcast: ...' message when in TP mode. |
Scope | FortiGate. |
Solution |
Diagram:
Packet in original direction flows as: Client >> LAN router >> FortiGate >> ISP router
This happens when the client's MAC address is not in the bridge forwarding table (even if the correct session matches the return packet for TCP sessions). In TP mode, the FortiGate supports reflection sessions (traffic can back and forth several times), so FortiGate cannot simply just match sessions.
It is possible to select one of these solutions. 1) Add mac address to FortiGate's ARP table 2) Create a reverse direction policy to allow the traffic. |