Even with the following configuration applied to the FortiGate interface, the FortiGate continues to forward NetBIOS broadcast packets.

 
config system interface
    edit "port1"
        set vdom "root"
        set ip 10.15.9.13 255.255.252.0
        set status up
        set netbios-forward disable
        set broadcast-forward disable
    next
end

diagnose sniffer packet any "host 192.168.150.100" 4 100 l
2025-10-10 13:45:27.204220 port1 in 192.168.150.100.137 -> 192.168.150.255.137: udp 
2025-10-10 13:45:27.204231 port1 out 192.168.150.100.137 -> 192.168.150.255.137: udp  

Despite netbios-forward being disabled, the packet is forwarded out on the same interface.
In some cases, FortiGate also responds with its own MAC address, which can mislead connected switches or routers into associating FortiGate’s MAC with the broadcast IP, causing routing issues or unwanted traffic redirection.

The forwarding occurs because the global setting allow-traffic-redirect is enabled by default in FortiOS.
When this flag is active, the FortiGate allows Layer 3 OSI redirection of broadcast or multicast packets under certain routing conditions, even if netbios-forward is disabled at the interface level.

Behavior by FortiOS version:

FortiOS 7.0.16 / 7.2.10 / 7.4.4 and later:
FortiGate may forward NetBIOS broadcasts when allow-traffic-redirect is enabled and the source IP is from a different subnet.

Earlier FortiOS versions:
When the source IP address is on a different network than the FortiGate interface performing traffic redirection, the traffic must match an IPv4 policy regardless of the allow-traffic-redirect setting.

Workaround:

• Disable traffic redirection globally to prevent the FortiGate from forwarding NetBIOS broadcast packets:

config system global
    set allow-traffic-redirect disable
end

• ACL can be configured on the interface to drop NetBIOS broadcast packets

This is a known issue and is planned to be fixed in FortiOS 7.4.10, 7.6.5, and 8.0.0.