The issue is resolved by identifying that ARP resolution problems occur when a large number of devices are connected to a VLAN. Following are the steps to resolve this issue involved troubleshooting the ARP tables on FortiSwitches and updating the FortiGate configuration to handle ARP traffic more effectively:

Diagnose ARP Packets: Begin by running a sniffer on the VLAN to diagnose ARP packets.

diagnose sniffer packet VLAN <VLAN_Number> 'arp' 4 0 l

To monitor ARP packets and identify if replies are missing.

Check ARP Tables in FortiSwitch: Access the ARP tables in connected switches and routers to see if the MAC addresses are correctly mapped.

Access FortiSwitch:

get system arp

To identify which device is missing the MAC Addresses.

Validate FortiGate's Visibility in ARP tables: Make sure all switches can see FortiGate's MAC in their ARP tables.

get system arp | grep <FortiGate_MAC_Address>

To ensure that FortiGate is reachable from all devices.

Check AP Capacity: Look into the AP's maximum user capacity.

It will be necessary to use vendor-specific commands to check AP capacity according to the AP manufacturer.

ARP Spoofing Inquiry: Check if the FortiSwitches and APs have any feature to prevent ARP spoofing.

On FortiSwitch:

config switch feature

    set arp-inspection enable
end

ARP spoofing is an L2 layer attack that may be affecting the network.

Client Isolation in WiFi: Check if client isolation features are active in the WiFi settings.

It will be necessary to use vendor-specific commands to check AP capacity according to the AP manufacturer.

To prevent clients from directly communicating with each other and causing ARP issues.

Test Again: After performing these steps, monitor the network again to see if the ARP issues are resolved.

Open FortiSwitch Ticket: If the problem persists, consider opening a FortiSwitch ticket for specialized troubleshooting. From Fortinet Support Portal -> New Ticket -> FortiSwitch -> Troubleshooting.

Note: How to test VLAN to receive ARP entry into FortiGate versions 7.4.x and 7.6.x

Almost always, when an interface VLAN is not registering ARP entries but is enabling and responding to pinging, there exists another way to check all entries by the VLAN.

VM02#diagnose ip address list

IP=172.19.1.1->172.19.1.1/255.255.255.0 index=20 devname=vlan 10
IP=192.168.150.2->192.168.150.2/255.255.255.0 index=32 devname=vlan-2500

There is a VLAN with id 2500, but when executing the command get sys arp , it does not show any ARP entry; including the VLAN interface. 

VM02 # get system arp
Address Age(min) Hardware Addr Interface
192.168.101.6 11565 52:aa:51:ea:de:7b VXLAN-SW
192.151.147.10 0 54:be:f7:08:21:84 port1
10.20.60.2 12698 00:50:56:66:8e:ce port3
192.151.147.12 8389 00:50:56:93:d8:b8 port1

To see entries for the VLAN ID 2500, use the following command.

VM02 # diagnose ip arp list | grep 2500
index=32 ifname=vlan-2500 192.168.150.255 ff:ff:ff:ff:ff:ff state=00000040 use=5798 confirm=35532075 update=35526075 ref=0

This is the option to see which ARP entries are incoming into the FortiGate. In this case, the VLAN ID 2500 has not connected to anything, so it is registering the broadcast mask. In reality, it is an ARP entry using this form.