Technical Tip: How to Verify, add and delete ARP entry in FortiGate

elfaran_FTNT · ‎11-04-2016

Description

In some troubleshooting scenarios it may be required to review the content of the ARP table to check the Layer2 negotiation or to flush the arp table or modify it.

Refer below steps to check and modify arp table in FortiGate.

Scope

FortiGate.

Solution

Below is the command to verify the ARP table in FortiGate.

# get sys arp

An example of the output from this command is given below :

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
172.31.131.198 0 00:67:68:6f:1a:02 port3
172.31.195.2 0 00:64:72:61:02:01 port4
172.31.131.32 2 00:64:72:61:20:01 port3
10.40.51.180 1 00:67:68:6f:08:02 port2
10.40.16.2 2 00:61:65:67:02:01 port1
10.40.31.254 0 90:6c:ac:29:ff:c9 port1

If there is no traffic from/to specific IP, age will get increment.

To filter the ARP entry in the table, it is possible to use below commands:

# get sys arp | grep -f <interface name>

This will filter arp table based on interface and shows ARP entries binded with specific interface only.

# get sys arp | grep -f <ip address>

This will filter ARP table and shows arp entry of specific IP.

# get sys arp | grep -f <mac address>

This will filter arp table and shows arp entry of specific MAC address.

To flush the complete ARP table, it is necessary to use below command:

# execute clear system arp table

To remove specific entry in the ARP table, use below command:

# diag ip arp delete <interface> <ip address

Example.
Below is the existing ARP table:

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.16.2 0 00:61:65:67:02:01 port1
10.40.31.254 0 90:6c:ac:29:ff:c9 port1

To remove ARP entry for 10.40.16.2, it is necessary to run the command as below

GW_FGT # diag ip arp delete port1 10.40.16.2

Then run the below command to check arp table:

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.31.254 0 90:6c:ac:29:ff:c9 port1

ARP entry for 10.40.16.2 is removed.

To Add specific entry in the ARP table, use below command:

It is possible to add the ARP entry using two methods:

1) In this method, FortiGate will keep the arp entry until binded interface status is up or FortiGate is not rebooted.

If interface status changes or fortigate rebooted, entry will be wiped out.

It is necessary to manually add the entry again.

Syntax:

# diag ip arp add <interface> <ip> <mac address>

Example.

GW_FGT # diag ip arp add port1 10.40.16.2 00:61:65:67:02:01

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.16.2 - 00:61:65:67:02:01 port1 <-----
10.40.31.254 0 90:6c:ac:29:ff:c9 port1

GW_FGT # config system interface
GW_FGT (interface) # edit port4
GW_FGT (port4) # set status down
GW_FGT (port4) # end

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.31.254 0 90:6c:ac:29:ff:c9 port1

2) In this method, FortiGate will keep the arp entry all the time.

Entry will be removed from the table only when respective interface is down.

# config sys arp
edit 0
set interface <interface>
set ip <ip address>
set mac <mac address>
end

Example.

GW_FGT # config system arp
GW_FGT (arp-table) # edit 0
new entry '0' added
GW_FGT (0) # set interface port1
GW_FGT (0) # set ip 10.40.16.2
GW_FGT (0) # set mac 00:61:65:67:02:01
GW_FGT (0) # end

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.16.2 - 00:61:65:67:02:01 port1 <-----
10.40.31.254 0 90:6c:ac:29:ff:c9 port1

Technical Tip: How to Verify, add and delete ARP entry in FortiGate

You are leaving our website