Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff & Editor
Staff & Editor

Created on ‎11-10-2021 05:14 AM Edited on ‎07-08-2025 08:08 AM By Moderator

Article Id 193496

Technical Tip: How Proxy-ARP works

Description

 
This article describes Proxy-ARP, when it is needed, and how to configure it on FortiGate.
 
ARP (address resolution protocol) discovers the link-layer address (such as MAC) that is associated with a given Internet layer address (for example, IPv4 address) on a broadcast Network.
While Proxy-ARP is when a certain device is acting (masquerading) on behalf of the actual host to respond to ARP queries.
 
Use case or Problem: 
  1. In the below topology, PC2 cannot reach PC1 because it is on a different physical network, despite PC2 being configured as if on the same network as PC1.
  2. The host is not configured with a Default Gateway.


Solution


Diagram.

 
JeanPhilippe_P_0-1751987021619.png
 

 

 

Use Proxy-ARP as a workaround.
In the above topology, let's say PC2 was configured with 192.168.1.14/24 instead of /29 (In some network design, this might be intentional), and PC2 needs to reach 192.168.1.6 (PC1), PC2 thinks it is residing on the same subnet as PC1 (/24 = 0 – 255). 
 
So, it broadcasts an ARP request.
Note that on the subnet where PC2 is connected, the broadcast terminates at the FortiGate interface with the 192.168.1.9/29 address.
 
Clearly, that interface is not 192.168.1.6, if no Proxy-ARP is configured on the FortiGate Interface with .9, the ARP will not get a response and PC2 will not be able to reach PC1.
But, if Proxy-ARP is configured on FortiGate’s interface with .9 IP, then the interface sends a reply to PC2 with its own MAC address. 
PC2 will then send the packet to .9, who in turn sends it to PC1 (PC2 did not know all this was going on).
 
This configuration example assumes .9 was configured on port1 of FortiGate.
 
config system proxy-arp
    edit 1
        set interface port1
        set ip 192.168.1.6
    next
end
 
Note: It is possible to extend proxy-arp to a range of IP addresses.
 
    edit 1
        set interface port1
        set ip 192.168.1.3
        set end-ip 192.168.1.6
    next
end
 
In this case, Port1 respond on behalf of .3, .4, .5 and .6.
 
Verification:
 
show system arp-table
execute ping 192.168.1.6                          <----- If proxy-arp is disabled or deleted, the ping stops responding.
 
Additional Notes:
  • There is a limit to the number of proxy-arp IP addresses that a FortiGate can support. For most models, the limit is 256 IP addresses per VDOM.
  • To view the limit for specific models and FortiOS version, visit this link docs.fortinet.com/max-value-table and filter by 'system.proxy-arp'. 
27312
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.