Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lupo
New Contributor

Manually send an arp request from Fortigate (arping)

Hello everyone,

 

is there a command to manually send an ARP request for a specific IP on a local interface? What I'm looking for is a functionality much like the 'arping' tool on Linux.

 

My usecase is determining whether there is a duplicate IP on a directly connected network.

 

Kind regards,

Lupo

1 Solution
pminarik
Staff
Staff

No command specifically for that, but you can just run "exe ping <specific-ip>". If the IP/MAC isn't already in its ARP table (get sys arp), the FortiGate will naturally send out an ARP request to try and get it. (assuming the FortiGate has an IP in the same subnet, of course)

 

To have immediate feedback, you can run sniffer for ARP traffic on the relevant interface (diag sniffer packet <interface> "arp" 4 0 a).

[ test signature, please ignore ]

View solution in original post

4 REPLIES 4
Yurisk
Valued Contributor

Nope, there is no such thing in the Fortigates. 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
pminarik
Staff
Staff

No command specifically for that, but you can just run "exe ping <specific-ip>". If the IP/MAC isn't already in its ARP table (get sys arp), the FortiGate will naturally send out an ARP request to try and get it. (assuming the FortiGate has an IP in the same subnet, of course)

 

To have immediate feedback, you can run sniffer for ARP traffic on the relevant interface (diag sniffer packet <interface> "arp" 4 0 a).

[ test signature, please ignore ]
Lupo
New Contributor

Thank you for your reply! Sniffing for the - possibly multiple - ARP replies is a good idea (together with manually clearing the ARP entry in question before the exec ping).

I had a specific case where I suspected someone used an interface IP of the FortiGate as a system IP address. Do you have any ideas how to proceed in such a scenario?

pminarik

As for fixing the current problem right now, all you can do is sniff the traffic and try to identify and remove/fix the offending device.

 

As for future prevention: If you have a FortiSwitch, consider deploying ARP inspection to prevent IP spoofing - https://docs.fortinet.com/document/fortiswitch/7.0.4/administration-guide/500016/dynamic-arp-inspect... .

 

If you have a third-party switch, check their documentation for a similar feature that you could utilize.

 

I don't think a lone FortiGate (using a dumb switch, or an internal switch of the FortiGate) can do anything about it on its own. (corrections welcome)

[ test signature, please ignore ]