Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
kjiye
Staff
Staff

Created on ‎03-22-2023 07:13 AM

Article Id 249923

Troubleshooting Tip: What causes FortiGate to block packets in reverse direction in transparent mode

Description This article describes why FortiGate blocks reverse packets with a 'drop broadcast: ...' message when in TP mode.
Scope FortiGate.
Solution

Diagram:

 

Packet in original direction flows as: Client >> LAN router >> FortiGate >> ISP router
Packet in reverse direction should flow as: ISP router >> FortiGate >> Client

 

This happens when the client's MAC address is not in the bridge forwarding table (even if the correct session matches the return packet for TCP sessions).

In TP mode, the FortiGate supports reflection sessions (traffic can back and forth several times), so FortiGate cannot simply just match sessions.

 

It is possible to select one of these solutions.

1) Add mac address to FortiGate's ARP table

2) Create a reverse direction policy to allow the traffic.
571
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.