Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jin-Gyu
New Contributor III

Created on ‎07-27-2025 10:27 PM

Fortigate TP Mode Broadcast Drop

Hi

I use Fortigate 101F with v7.0.12 in TP mode, but broadcast drops occur.

The configuration diagram is as follows.

스크린샷 2025-07-28 142106.png

Normally, there is no problem and when I reboot the server, the communication between the PC and the server side L2 does not work.

As a result of checking, the MAC address of L3 was not learned in vdomA.

So I put the mac-address of L3 port2 into the mac-address-table of vdomA statically and it works normally.

 

This doesn't happen very often, it happens very occasionally.

I enabled broadcast-forward, why does this happen?

 

 

 

Labels:
307
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎07-28-2025 07:01 AM

Normally ARP broadcast is the only one allowed by default.

But can you try this one (for troubleshooting) just to see if it helps? The tech tip is for DHCP but you need you adapt it for ARP.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-allow-the-flow-of-transit-DHCP-tra...

Hope it helps.

AEK

View solution in original post

AEK
236
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎07-28-2025 12:52 AM

Hi Jin

Normally when you try ping from PC to Server for the first time, L3 sends ARP query like "who has x.x.x.x", and here VDOM A should learn it.

When you try "diag sniffer packet port1" do you see those ARP broadcasts from L3?

AEK
AEK
288
0 Kudos
Jin-Gyu
New Contributor III
In response to AEK

Created on ‎07-28-2025 03:43 AM

packet flow request is pc > l2 > vdomB > l3 > vdomA > l2 > server

response is server > l2 > vdomA broadcast drop

267
0 Kudos
AEK
SuperUser
SuperUser
In response to Jin-Gyu

Created on ‎07-28-2025 03:59 AM

ARP (in transparent mode): by default, ARP broadcasts and ARP reply packets are flooded/forwarded on all ports or VLANs belonging to the same forwarding domain, without the need of firewall policies between the ports. This default behavior is necessary to allow the population of the FDB and allow further firewall policy lookup (see section Transparent mode Firewall processing for more details). This option is configurable at the interface settings level with the parameter arpforward (enabled by default).

 

Ref: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/5aa37c8a-1a11-11e9-9685-f8bc12...

(this is for old FortiOS but I couldn't find newer).

 

On the other hand, when you enable traffic log in the implicit deny rule, do you see the ARP replies are blocked?

AEK
AEK
259
0 Kudos
Jin-Gyu
New Contributor III
In response to AEK

Created on ‎07-28-2025 05:53 AM

The policy is open to permission, and the block is not visible.

In vdomA, the debug content comes out like this.
port4 is on the server side and port3 is on the l3 side.

Screenshot_20250728_214814_Outlook.jpg

250
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎07-28-2025 07:01 AM

Normally ARP broadcast is the only one allowed by default.

But can you try this one (for troubleshooting) just to see if it helps? The tech tip is for DHCP but you need you adapt it for ARP.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-allow-the-flow-of-transit-DHCP-tra...

Hope it helps.

AEK
AEK
237
0 Kudos
Jin-Gyu
New Contributor III
In response to AEK

Created on ‎07-28-2025 05:53 PM

Thank you for your answer. 

I can't try it now because it's not my equipment, but I'll apply it next time the same phenomenon occurs.

213
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.