Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jmlux
New Contributor III

Created on ‎09-02-2015 12:21 PM

Proxy ARP issues: cannot set interface, SSH different than console, documentation useless

Hi there,

 

Currently I'm struggling with understanding how you deal with Proxy ARP on the Fortigate. So far support has been of no help (reply=RTFM which is incomprehensible).

 

Usually (other vendors) you have the choice of enabling/disabling proxy ARP on an interface. Plus some minor options. That's it.

 

Now, the Fortigate requires me to set an IP and an interface. I believe to understand that I have to manually define each IP for proxy arp? I can live with that, but it is also unclear what the interface it asks for is supposed to be: * Is it the interface where the IP is actually located (which should be implicit from the routing table)? * Is it the interface where the IP should be presented with the MAC of the router (which should be implicit from the interface address)?

 

Additionally I seem to be unable to activate proxy-arp on a VLAN interface. C'mon.....

 

FGXXXX# config system proxy-arp
FGXXXX(proxy-arp) # edit 1
new entry '1' added
FGXXXX(1) # set interface
<string>    please input string value
mgmt    interface
ssl.dmgmt-vdom(SSL VPN interface)       interface

 

FGXXXX # (1) set interface "VLANX_Y"
entry not found in datasource
value parse error before 'VLANX_Y'
Command fail. Return code -3

 

Best regards,

Marki

Labels:
14591
0 Kudos
11 REPLIES 11
jmlux
New Contributor III

Created on ‎09-04-2015 08:09 AM

Oh and now I have found out that when you try to set or display proxy-arp settings (config system proxy-arp) this differs when logged in from console vs. logged in via SSH (dedicated management). Great. Now I wonder if support will get back to me like always (i.e. "that's just how it works, that's hard-coded and therefore cannot change"). [>:]

659
0 Kudos
jmlux
New Contributor III

Created on ‎09-22-2015 09:04 AM

Okay..... (holy ****) It seems that when dedicated-mgmt is configured, logging in via CLI puts you automatically in dmgmt-vdom vs. the GUI which shows you the normal vdom (root, whatever). Support is confused, they don't seem to understand that we need dedicated-mgmt only so that management is out-of-band and we don't actually want to do anything inside the dmgmt-vdom. (Even the doc says it is (supposed to be) hidden!!!) They even ask to add ports to dmgmt-vdom to configure proxy-arp (the original issue). Argh, so the answer for e.g. configuring proxy-arp is to "execute enter root" (in which case all interfaces are available again for selection) and then perform normal configuration. Still, one should find out why the CLI puts you in dmgmt-vdom by default when dedicated-mgmt is enabled, which is a stupid behavior. Let me guess what the response will be: "That's by design, hard-coded, and therefore can't be changed." Anyone else having similar discussions with support? [>:]

659
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.