FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
elfaran_FTNT
Staff
Staff

Description

 

In some troubleshooting scenarios it may be required to review the content of the ARP table to check the Layer2 negotiation or to flush the arp table or modify it.

Refer below steps to check and modify arp table in FortiGate.


Solution


Below is the command to verify the ARP table in FortiGate.

 

# get sys arp


An example of the output from this command is given below :

 

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
172.31.131.198 0 00:67:68:6f:1a:02 port3
172.31.195.2 0 00:64:72:61:02:01 port4
172.31.131.32 2 00:64:72:61:20:01 port3
10.40.51.180 1 00:67:68:6f:08:02 port2
10.40.16.2 2 00:61:65:67:02:01 port1
10.40.31.254 0 90:6c:ac:29:ff:c9 port1


If there is no traffic from/to specific IP, age will get increment.


To filter the ARP entry in the table, it is possible to use below commands:

 

# get sys arp | grep -f <interface name>


This will filter arp table based on interface and shows ARP entries binded with specific interface only.


# get sys arp | grep -f <ip address>


This will filter ARP table and shows arp entry of specific IP.


# get sys arp | grep -f <mac address>

 

This will filter arp table and shows arp entry of specific MAC address.

 

To flush the complete ARP table, it is necessary to use below command:

 

# execute clear system arp table


To remove specific entry in the ARP table, use below command:

 

# diag ip arp delete <interface> <ip address


Example.
Below is the existing ARP table:


GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.16.2 0 00:61:65:67:02:01 port1
10.40.31.254 0 90:6c:ac:29:ff:c9 port1


To remove ARP entry for 10.40.16.2, it is necessary to run the command as below


GW_FGT # diag ip arp delete port1 10.40.16.2

 

Then run the below command to check arp table:

 

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.31.254 0 90:6c:ac:29:ff:c9 port1

 

ARP entry for 10.40.16.2 is removed.

 

To Add specific entry in the ARP table, use below command:

 

It is possible to add the ARP entry using two methods:


1) In this method, FortiGate will keep the arp entry until binded interface status is up or FortiGate is not rebooted.

If interface status changes or fortigate rebooted, entry will be wiped out.

It is necessary to manually add the entry again.


Syntax:

 

# diag ip arp add <interface> <ip> <mac address>


Example.

 

GW_FGT # diag ip arp add port1 10.40.16.2 00:61:65:67:02:01


GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.16.2 - 00:61:65:67:02:01 port1 <-----
10.40.31.254 0 90:6c:ac:29:ff:c9 port1

 

GW_FGT # config system interface
GW_FGT (interface) # edit port4
GW_FGT (port4) # set status down
GW_FGT (port4) # end

 

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.31.254 0 90:6c:ac:29:ff:c9 port1


2) In this method, FortiGate will keep the arp entry all the time.

Entry will be removed from the table only when respective interface is down.

 

# config sys arp
    edit 0
        set interface <interface>
        set ip <ip address>
        set mac <mac address>
end

 

Example.

 

GW_FGT # config system arp
GW_FGT (arp-table) # edit 0
new entry '0' added
GW_FGT (0) # set interface port1
GW_FGT (0) # set ip 10.40.16.2
GW_FGT (0) # set mac 00:61:65:67:02:01
GW_FGT (0) # end

 

GW_FGT # get sys arp
Address Age(min) Hardware Addr Interface
10.40.19.180 0 00:67:68:6f:08:01 port1
10.40.16.2 - 00:61:65:67:02:01 port1 <-----
10.40.31.254 0 90:6c:ac:29:ff:c9 port1