In Transparent Mode, for self-generated traffic, FortiGate uses ARP to learn the MAC address of a directly connected destination IP or the gateway IP for destinations reached via a static gateway.

The following example illustrates the circumstance under which self-generated traffic duplication can occur for a Transparent Mode Syslog server at IP 192.168.1.1, reachable via gateway IP 10.10.10.2:

FGT (VDOM1)# config system settings

    set opmode transparent

    set manageip 10.10.10.1/255.255.255.0

end

FGT (VDOM1)# config log syslogd3 override-setting

    set status enable

    set server "192.168.1.1"

    set format cef

end

FGT (VDOM1)# config router static

    edit 1

           set gateway 10.10.10.2

       next

end

Initially, Transparent Mode will learn the MAC address for the gateway IP 10.10.10.2, which can be verified using the command below:

FGT (VDOM1) # get system arp

Address Age(min) Hardware Addr Interface

10.10.10.2 88694 aa:aa:aa:aa:aa:aa VDOM1.b

FortiGate looks up the egress interface based on the destination MAC address aa:aa:aa:aa:aa:aa in the forwarding table and forwards the traffic through Vlan10:

FGT (global) # diagnose netlink brctl name host VDOM1.b

show bridge control interface VDOM1.b host.

fdb: hash size=32768, used=2471, num=2794, depth=71, gc_time=4, ageing_time=3

Bridge VDOM1.b host table

port no device devname mac addr ttl attributes

13 86 Vlan10 aa:aa:aa:aa:aa:aa 0 Hit(0)

If multiple VLANs, including Vlan10, are connected to the same gateway port and share the same MAC address aa:aa:aa:aa:aa:aa, self-generated traffic will be sent with different VLAN tags in their respective forwarding domains.

As per the below forwarding table, Vlan10 and Vlan20 have the same gateway's MAC aa:aa:aa:aa:aa:aa, and duplicate self-originated packets can be sent to the syslog server against both the VLANs.

FGT (global) # diagnose netlink brctl name host VDOM1.b

show bridge control interface VDOM1.b host.

fdb: hash size=32768, used=2471, num=2794, depth=71, gc_time=4, ageing_time=3

Bridge VDOM1.b host table

port no device devname mac addr ttl attributes

13 86 Vlan10 aa:aa:aa:aa:aa:aa 0 Hit(0)

14 87 Vlan20 aa:aa:aa:aa:aa:aa 0 Hit(0)

ICMP duplicate replies may occur when pinging gateway IP 10.10.10.2, as FortiGate cannot determine the correct interface and sends the request from both VLANs, resulting in duplicate replies:

FGT (VDOM1)# execute ping 10.10.10.2

PING 10.10.10.2 (10.10.10.2): 56 data bytes

64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=1.2 ms

64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=3.7 ms (DUP!)

64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=0.9 ms

64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=2.4 ms (DUP!)

64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=2.1 ms

64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=4.1 ms (DUP!)

64 bytes from 10.10.10.2: icmp_seq=3 ttl=64 time=4.2 ms

64 bytes from 10.10.10.2: icmp_seq=3 ttl=64 time=8.7 ms (DUP!)

64 bytes from 10.10.10.2: icmp_seq=4 ttl=64 time=3.0 ms

This is expected behavior when the gateway device port shares the same MAC for multiple VLANs and can be resolved by configuring the gateway device to generate a unique MAC for each VLAN, such as using emac-vlan.