Description
By default, the Virtual IP/IP pool created in the FortiGate responds to ARP requests with the MAC address of the interface to the connected L2 units.
Solution
The following CLI commands can be used to disable the ARP reply.
This could be useful during troubleshooting.
# config firewall vip
edit <name>
set arp-reply disable (default: enable)
next
end
# config firewall ippool
edit <name>
set arp-reply disable (default: enable)
next
end
The 'set arp-reply disable' is used in case when IP addresses are overlapping with another device in the network. With arp-reply disabled, FortiGate should send an ARP request for the addresses defined in VIP/IP pool if it needs to send traffic to units which owns these IP addresses.
The 'set arp-reply enable'(default) command means that the FortiGate will answer to ARP requests for the IP address(es) mentioned in VIP/IP pool.
NOTE: Until FortiOS 6.4.9 / 7.0.1 all IP addresses in IP pool and VIP are considered as local IP if arp-reply is enabled (following the FortiOS logic one IP can be bound to one interface). Since the above-mentioned releases, the IP pool / VIP IP addresses are no longer considered local.
Related Links:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/801437/ip-pools
