Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wirelurker
New Contributor II

Created on ‎01-10-2025 09:23 PM

Get ARP and MAC Table from a Fortimanager Managed Firewall

I've been trying figure how to find the mac address and arp tables for one of our fortigate firewalls, but all the documentation seem to be for firewalls not connected to Fortimanager. As you may know, the cli becomes very limited one the a firewall when you connect to Fortimanager, and the CLI on it only seem to give the arp for the manager itself which is not very useful. We're running the Fortimanager VM64 KVM 7.2.8 if that helps. The firewall in question is 200f. Any help would be appreciated.

Now my profile is 100%
Now my profile is 100%
Labels:
809
1 Solution
dingjerry_FTNT
Staff
Staff
In response to wirelurker

Created on ‎01-11-2025 07:01 AM

Hi @wirelurker ,

 

I think that your user account does not have full permission to access the FGT.  What is the prompt you got? #? $?

 

Anyway, there is another workaround to access FGT GUI via FMG if your FMG is running 7.4.2 or later:

1) Make sure that your FMG admin user account has either full permission or this option is enabled in your access profile:

 

dingjerry_FTNT_0-1736607342425.png

 

2) Go back to Device Manager, click on Managed FortiGate, select the FGT you want to access, right click, choose "Remote Access":

 

dingjerry_FTNT_1-1736607555307.png

 

It will open FGT GUI and if you login to the FGT GUI with full permission, you can bring up the FGT CLI widget in GUI with full access to all CLI commands.

 

So the key point is, do you have one FGT admin user account with full permission?  

 

 

 

 

 

Regards,

Jerry

View solution in original post

698
8 REPLIES 8
kaman
Staff
Staff

Created on ‎01-10-2025 10:58 PM

Hi wirelurker,

From the GUI, the MAC address of the interface and ARP list will not be visible.

It is necessary to Need to use the CLI.

Please refer to the below document for more information:
https://community.fortinet.com/t5/FortiManager/Technical-Tip-Mac-address-interface-and-ARP-list-for/...


You can refer the below document to check ARP entries on an ARP table in FortiGate.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-get-system-arp-command-on-the-FortiG...

790
wirelurker
New Contributor II
In response to kaman

Created on ‎01-11-2025 12:29 AM

If I do it from the fortimanager, it only lists the FMGR interfaces. If I ssh to the individual fortigates, there is no diagnose command and the get command is very limited as in no arp command and any subcommand.

Now my profile is 100%
Now my profile is 100%
752
dingjerry_FTNT
Staff
Staff

Created on ‎01-10-2025 11:07 PM

Hi @wirelurker ,

 

Even if a FGT is managed by a FMG, you can still SSH into this FGT to run CLI commands.

Regards,

Jerry
785
wirelurker
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-11-2025 12:31 AM

These are my choices if I ssh to a managed firewall:

 

config
get
show
exit

 

Under get there is only the system command. Nothing else.

Now my profile is 100%
Now my profile is 100%
748
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to wirelurker

Created on ‎01-11-2025 07:01 AM

Hi @wirelurker ,

 

I think that your user account does not have full permission to access the FGT.  What is the prompt you got? #? $?

 

Anyway, there is another workaround to access FGT GUI via FMG if your FMG is running 7.4.2 or later:

1) Make sure that your FMG admin user account has either full permission or this option is enabled in your access profile:

 

dingjerry_FTNT_0-1736607342425.png

 

2) Go back to Device Manager, click on Managed FortiGate, select the FGT you want to access, right click, choose "Remote Access":

 

dingjerry_FTNT_1-1736607555307.png

 

It will open FGT GUI and if you login to the FGT GUI with full permission, you can bring up the FGT CLI widget in GUI with full access to all CLI commands.

 

So the key point is, do you have one FGT admin user account with full permission?  

 

 

 

 

 

Regards,

Jerry
699
wirelurker
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-11-2025 08:47 PM

That did it. Weird. If i ssh straight to a firewall using the admin account it's still a limited command mode. However, if access a FGT gui directly then open the cli from there I get a cli with (global). I can then access sudo <adom> and a huge list of commands including get sys arp. Thank you!

Now my profile is 100%
Now my profile is 100%
664
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to wirelurker

Created on ‎01-11-2025 09:09 PM

Hi @wirelurker ,

 

I am glad that I could be of assistance.  Please mark it as a solution to help others experiencing the same issue as yours.

Regards,

Jerry
648
0 Kudos
kaman
Staff
Staff

Created on ‎01-11-2025 06:24 AM

Hi wirelurker,

With the help of the command: get sys arp | grep wan -- you can see per port (MAC address learnt on a specific port, with age).

Per port (along with IP addresses and other details).
# diag ip arp list | grep wan

Current port mac address:
# diag hardware deviceinfo nic wan2 | grep HWaddr


https://community.fortinet.com/t5/FortiGate/Technical-Tip-ARP-and-MAC-addresses-on-FortiGate/ta-p/21...


You can refer to the below document to find the interface's MAC address

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-find-the-interface-s-MAC-address/ta...

Regards

711
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.