Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jin-Gyu
New Contributor III

Fortigate TP Mode Broadcast Drop

Hi

I use Fortigate 101F with v7.0.12 in TP mode, but broadcast drops occur.

The configuration diagram is as follows.

스크린샷 2025-07-28 142106.png

Normally, there is no problem and when I reboot the server, the communication between the PC and the server side L2 does not work.

As a result of checking, the MAC address of L3 was not learned in vdomA.

So I put the mac-address of L3 port2 into the mac-address-table of vdomA statically and it works normally.

 

This doesn't happen very often, it happens very occasionally.

I enabled broadcast-forward, why does this happen?

 

 

 

1 Solution
AEK
SuperUser
SuperUser

Normally ARP broadcast is the only one allowed by default.

But can you try this one (for troubleshooting) just to see if it helps? The tech tip is for DHCP but you need you adapt it for ARP.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-allow-the-flow-of-transit-DHCP-tra...

Hope it helps.

AEK

View solution in original post

AEK
6 REPLIES 6
AEK
SuperUser
SuperUser

Hi Jin

Normally when you try ping from PC to Server for the first time, L3 sends ARP query like "who has x.x.x.x", and here VDOM A should learn it.

When you try "diag sniffer packet port1" do you see those ARP broadcasts from L3?

AEK
AEK
Jin-Gyu
New Contributor III

packet flow request is pc > l2 > vdomB > l3 > vdomA > l2 > server

response is server > l2 > vdomA broadcast drop

AEK

ARP (in transparent mode): by default, ARP broadcasts and ARP reply packets are flooded/forwarded on all ports or VLANs belonging to the same forwarding domain, without the need of firewall policies between the ports. This default behavior is necessary to allow the population of the FDB and allow further firewall policy lookup (see section Transparent mode Firewall processing for more details). This option is configurable at the interface settings level with the parameter arpforward (enabled by default).

 

Ref: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/5aa37c8a-1a11-11e9-9685-f8bc12...

(this is for old FortiOS but I couldn't find newer).

 

On the other hand, when you enable traffic log in the implicit deny rule, do you see the ARP replies are blocked?

AEK
AEK
Jin-Gyu
New Contributor III

The policy is open to permission, and the block is not visible.

In vdomA, the debug content comes out like this.
port4 is on the server side and port3 is on the l3 side.

Screenshot_20250728_214814_Outlook.jpg

AEK
SuperUser
SuperUser

Normally ARP broadcast is the only one allowed by default.

But can you try this one (for troubleshooting) just to see if it helps? The tech tip is for DHCP but you need you adapt it for ARP.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-allow-the-flow-of-transit-DHCP-tra...

Hope it helps.

AEK
AEK
Jin-Gyu
New Contributor III

Thank you for your answer. 

I can't try it now because it's not my equipment, but I'll apply it next time the same phenomenon occurs.

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors