Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lupo
New Contributor

Manually send an arp request from Fortigate (arping)

Hello everyone,

 

is there a command to manually send an ARP request for a specific IP on a local interface? What I'm looking for is a functionality much like the 'arping' tool on Linux.

 

My usecase is determining whether there is a duplicate IP on a directly connected network.

 

Kind regards,

Lupo

1 Solution
pminarik
Staff
Staff

No command specifically for that, but you can just run "exe ping <specific-ip>". If the IP/MAC isn't already in its ARP table (get sys arp), the FortiGate will naturally send out an ARP request to try and get it. (assuming the FortiGate has an IP in the same subnet, of course)

 

To have immediate feedback, you can run sniffer for ARP traffic on the relevant interface (diag sniffer packet <interface> "arp" 4 0 a).

[ corrections always welcome ]

View solution in original post

4 REPLIES 4
Yurisk
Valued Contributor

Nope, there is no such thing in the Fortigates. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
pminarik
Staff
Staff

No command specifically for that, but you can just run "exe ping <specific-ip>". If the IP/MAC isn't already in its ARP table (get sys arp), the FortiGate will naturally send out an ARP request to try and get it. (assuming the FortiGate has an IP in the same subnet, of course)

 

To have immediate feedback, you can run sniffer for ARP traffic on the relevant interface (diag sniffer packet <interface> "arp" 4 0 a).

[ corrections always welcome ]
Lupo
New Contributor

Thank you for your reply! Sniffing for the - possibly multiple - ARP replies is a good idea (together with manually clearing the ARP entry in question before the exec ping).

I had a specific case where I suspected someone used an interface IP of the FortiGate as a system IP address. Do you have any ideas how to proceed in such a scenario?

pminarik

As for fixing the current problem right now, all you can do is sniff the traffic and try to identify and remove/fix the offending device.

 

As for future prevention: If you have a FortiSwitch, consider deploying ARP inspection to prevent IP spoofing - https://docs.fortinet.com/document/fortiswitch/7.0.4/administration-guide/500016/dynamic-arp-inspect... .

 

If you have a third-party switch, check their documentation for a similar feature that you could utilize.

 

I don't think a lone FortiGate (using a dumb switch, or an internal switch of the FortiGate) can do anything about it on its own. (corrections welcome)

[ corrections always welcome ]
Labels
Top Kudoed Authors