Hi
I use Fortigate 101F with v7.0.12 in TP mode, but broadcast drops occur.
The configuration diagram is as follows.
Normally, there is no problem and when I reboot the server, the communication between the PC and the server side L2 does not work.
As a result of checking, the MAC address of L3 was not learned in vdomA.
So I put the mac-address of L3 port2 into the mac-address-table of vdomA statically and it works normally.
This doesn't happen very often, it happens very occasionally.
I enabled broadcast-forward, why does this happen?
Solved! Go to Solution.
Normally ARP broadcast is the only one allowed by default.
But can you try this one (for troubleshooting) just to see if it helps? The tech tip is for DHCP but you need you adapt it for ARP.
Hope it helps.
Hi Jin
Normally when you try ping from PC to Server for the first time, L3 sends ARP query like "who has x.x.x.x", and here VDOM A should learn it.
When you try "diag sniffer packet port1" do you see those ARP broadcasts from L3?
packet flow request is pc > l2 > vdomB > l3 > vdomA > l2 > server
response is server > l2 > vdomA broadcast drop
ARP (in transparent mode): by default, ARP broadcasts and ARP reply packets are flooded/forwarded on all ports or VLANs belonging to the same forwarding domain, without the need of firewall policies between the ports. This default behavior is necessary to allow the population of the FDB and allow further firewall policy lookup (see section Transparent mode Firewall processing for more details). This option is configurable at the interface settings level with the parameter arpforward (enabled by default).
(this is for old FortiOS but I couldn't find newer).
On the other hand, when you enable traffic log in the implicit deny rule, do you see the ARP replies are blocked?
The policy is open to permission, and the block is not visible.
In vdomA, the debug content comes out like this.
port4 is on the server side and port3 is on the l3 side.
Normally ARP broadcast is the only one allowed by default.
But can you try this one (for troubleshooting) just to see if it helps? The tech tip is for DHCP but you need you adapt it for ARP.
Hope it helps.
Thank you for your answer.
I can't try it now because it's not my equipment, but I'll apply it next time the same phenomenon occurs.
User | Count |
---|---|
2549 | |
1356 | |
795 | |
646 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.