The get system arp command in FortiGate displays the ARP (Address Resolution Protocol) table, which maps IP addresses to MAC addresses, indicating which devices are connected to each interface.

To filter only the MAC address learned by a single port:

get system arp | grep port1

Below is an explanation of the output:

Explanation:

• Address: The IP address of the device within FortiGate’s network.
• Age (min): The time (in minutes) since the ARP entry was last updated. ARP entries get updated as new traffic flows through the network.
• 0: Indicates that the ARP entry is new or was just learned by the device.
• Higher values: These indicate older entries, meaning the ARP entry was learned some time ago.
• Hardware Addr (MAC Address): The MAC address of the device corresponding to the IP address.
• Interface: The FortiGate interface (like port1, port3) through which the device is connected.
• To get a particular interface Mac use the command  get system arp | grep port3.
• To get a particular IP address that is being troubleshooting, it is possible to use get system arp | grep <IP address>. If it is impossible to see the IP address in the ARP table, use the 'execute ping <IP address>' to check the connectivity and therefore confirm/overrule suspected ARP/ duplicate IP

Key Points:Entries with a very low age (like 0 or 1) suggest recent communication.
An aging entry indicates it hasn’t been refreshed, but the ARP binding remains active.
This ARP table can help diagnose connectivity issues, identify duplicate IP addresses, or understanding which devices are connected through each interface.

Some use cases of the 'get system arp' command:

Troubleshooting Connectivity Issues:

When a device is unreachable, checking the ARP table can help determine if the FortiGate has learned the correct MAC address for the device's IP.
If the entry is missing or incorrect, it indicates an issue with address resolution, potentially pointing to a network misconfiguration or a device being offline.

Monitoring Network Activity:

The ARP table helps track which devices are communicating through each interface and at what time. It shows which IP addresses are actively in use and what MAC addresses are associated with them.

Detecting Duplicate IP or MAC Addresses:

If there are duplicate IP or MAC addresses on the network, detect them by identifying inconsistent or rapidly changing ARP entries, which could signal network problems or malicious activity.

Verifying Network Configuration:

When configuring static routes, VLANs, or firewall policies, verifying the correct IP-MAC associations in the ARP table ensures configurations align with actual network conditions.

To capture the ARP packet in FortiGate, use the following sniffer command:

diagnose sniffer packet <interface name> "arp" 6 0 l