Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lamster
New Contributor

Created on ‎08-15-2018 02:45 AM

Disable ARP on Virtual IP

I'm in the process of moving a customer from Cisco ASA to FortiGate and have run into a small issue with Virtual IP's. 

The FG is setup parallell to the ASA on inside and wan interfaces for reachability/management, all other interfaces are disabled. The plan is to configure as much as possible on the FG before migrating.

 

Now to the issue.

When I configure the Virtual IP's which are used in ASA for various servers today, the FG starts responding to ARP creating a conflict on the external interface since both ASA and FG responds to the same IP. In ASA it's possible to disable a NAT policy and that way prepare policies without impacting production, but I can't find any way to disable VIP's. 

 

Any ideas?

11979
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-15-2018 09:00 AM

Based on my experience, VIPs on FGT are sticky and act even without references. You probably need to shut down the incoming interface (wan) until the cut-over date.

On the other hand, they're relatively independent from other part of configuration except the policies that use them (if policy-based NAT). So you could leave the changes for the cut-over script.

View solution in original post

6372
0 Kudos
5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-15-2018 09:00 AM

Based on my experience, VIPs on FGT are sticky and act even without references. You probably need to shut down the incoming interface (wan) until the cut-over date.

On the other hand, they're relatively independent from other part of configuration except the policies that use them (if policy-based NAT). So you could leave the changes for the cut-over script.

6373
0 Kudos
Lamster
New Contributor
In response to Toshi_Esumi

Created on ‎08-15-2018 09:44 AM

Okay, that's what I was suspecting. I guess I'll have to shut down the wan interface for now.

 

Thanks.

6336
0 Kudos
emnoc
Esteemed Contributor III
In response to Toshi_Esumi

Created on ‎08-15-2018 09:58 AM

I  had this same issue. Since you can't disable the VIP here what we did;

 

1: build a bogus vip and a define a vip-group

 

2: apply that in your config using the vip-group ( this allows you to stage all of the  item in the firewall policy )

 

3: when it comes time to place active, add the correct vip in the cfg and apply to the vip-group  and test 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
6336
0 Kudos
hklb
Contributor II
In response to emnoc

Created on ‎08-15-2018 11:51 AM

config firewall vip

edit YourVIP

set arp-reply disable

end

 

6336
0 Kudos
Lamster
New Contributor
In response to hklb

Created on ‎08-17-2018 12:32 AM

I was kinda hoping the set arp-reply enable/disable command would be available as a checkbox in the GUI. 

 

Anyway, thanks for the suggestions guys. 

6336
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.