Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Errant ARP Replies from interface with no IP.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Errant ARP Replies from interface with no IP.
Hi all, I'm trying to troubleshoot an odd issue and am worried that I'm missing something/out to lunch. This is a much shortened version of the issue based on this figure http://www.asciidraw.com/#Draw3254957678224072795 with the VxLan turned down for testing.
Config Notes:
[ul]The Fortigate is seeing ARP requests for 10.0.0.1 at port1 and port3 as expected. Unfortunately it's also sending replies from both ports. So clients see two replies: one with the mac for the interface (port1) that actually has that IP, and one with the mac for port3 (which blackholes any subsequent ip packets). That IP is the default gateway so it's basically blackhole-roulette depending on which reply is seen first and how fast the client caches update.
There are no other issues, VxLan tunnel appears to function perfectly when enabled. Can't reproduce the errant ARP with two Hardware Switches or with a Hardware Switch and a single port interface.
I'd normally let TAC do their thing but I have a deadline coming soon and their initial response is that it appears to be working as expected and that they're looking for a way to disable ARP replies per-interface. That... doesn't seem right. Is there something I'm missing or don't understand? An interface should not respond to ARP requests for an IP to which it isn't bound or proxy-ing in some way, right?
The reason for the hardware switch (and not just changing to a software switch that includes the VxLan IPsec interface) is partly legacy, partly because it's in production and the backup 100D's are offsite at the moment, partly because there are a lot of references to that interface so I'll need to edit the config and apply it offline during a maintenance window. I do plan on testing that as soon as I can turn prod into dev for an hour. In the meantime I would sincerely appreciate any thoughts, suggestions, or corrections.
Labels:
- Labels:
-
5.6
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you post your config here..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gangdar1234: Sorry I missed your post, I guess I misconfigured my notification settings.
Issue one was our bad. We had a leftover undocumented VIP whose interface was set to 'any'. The 4.0 legacy docs explicitly say that the Fortigate will proxy arp requests for a VIP on any interface to which it is assigned. That might be obvious after you think about it but we didn't at the time. TAC labbed it out and got back to me the next day. Issue two was a little more insidious. After removing the VIP we had the opposite problem: The softswitch started eating ARP requests for 10.0.0.1. I ended up posting a last-minute maintenance window where I edited the softswitch out and converted the hardware switch into a software switch that included the VxLan interface. Still don't know why that worked but it did. Seems to be running well but the feedback I got was that the VxLan feature is not commonly used. The config matched the cookbook except that we had l2forward enabled on the involved interfaces and the physical port was plugged back into the hard-switch.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hate to necropost but I ran into this very thing earlier this week because of a similar network configuration (yeah, maybe don't connect two ports to the same broadcast domain without doing something to aggregate or bond them together--it's not going to work well). Years later it's apparently somehow still a problem? Come on, guys.
Yes, this is an unwanted behaviour, and it's not limited to just VIPs.
While it is allowed by RFC for a host to respond to ARP queries on any interface for any address it has bound to any interface, firewalls weren't exactly "a thing" at that point in the distant past, and it's basically a behaviour meant for routers. For a firewall, it (let me go ahead and just use RFC-like language) SHOULD NOT respond to ARP queries for IP addresses not bound to that interface, because at the very least it's information leakage (which is--cough--a low-level CVE in the making). It would allow an attacker on the network to identify what IP addresses might be on other interfaces and then, in a worst-case scenario, bypass the firewall rules meant for the network interface that they're actually on. The real "fix" for production environments is to stop having the same broadcast domain connecting to multiple ports (why the aggregate SFP isn't going to be affected by this will be left as an exercise to the reader), but that doesn't change the fact that a skilled attacker can very likely exploit this to bypass the firewall policies.
This has been a "known" issue for firewalls for so incredibly long. I, personally, started fixing on my deployments with a patch to the Linux kernel roughly 30 years ago. That same functionality was incorporated directly into the Linux kernel via the /proc interface with kernel 2.2.14 (January 28th, 1999), and then made into a sysctl for Linux Kernel 2.6.4 (March 11th, 2004). Why TAC never communicated this issue to engineering so they could know it's long past time to set net.ipv4.conf.all.arp_ignore=2 (or if they did, why the heck it's apparently not the default) is something I'm going to try to avoid thinking about.
Note: Setting that to 2 is the right thing to do by default because it makes the Linux kernel (which we absolutely know you're using--don't be coy) ignore ARP queries that don't match an IP address bound to that specific interface, and aren't of a subnet that should exist on that interface. ...so I while I'm on interface B I can't slap an entry into my cache for the address of interface A using the MAC address for interface B as the default gateway and then appear to be coming in via interface A as far as the firewall cares, which is where the unpleasant phrase "firewall bypass" comes out to play. (not exactly a low-level CVE)
Labels
-
FortiGate
10,621 -
FortiClient
2,165 -
FortiManager
892 -
5.2
687 -
FortiAnalyzer
681 -
5.4
638 -
FortiSwitch
588 -
FortiClient EMS
564 -
FortiAP
561 -
IPsec
421 -
6.0
416 -
SSL-VPN
380 -
FortiMail
372 -
5.6
362 -
FortiNAC
286 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
196 -
FortiAuthenticator
175 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
134 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
77 -
ZTNA
76 -
Routing
75 -
Fortivoice
73 -
SAML
71 -
DNS
71 -
VLAN
71 -
BGP
70 -
FortiEDR
69 -
FortiADC
68 -
Authentication
68 -
Certificate
66 -
RADIUS
61 -
LDAP
60 -
FortiLink
56 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
47 -
Interface
45 -
Application control
45 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
SSL SSH inspection
36 -
FortiConnect
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
API
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
FortiMonitor
20 -
OSPF
20 -
WAN optimization
20 -
Security profile
19 -
Web rating
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
NAC policy
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2605 | |
| 1388 | |
| 804 | |
| 664 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.