FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff
Article Id 192527

Description

 

This article describes the ARP reply setting in Virtual IP/IP Pool.

By default, the Virtual IP/IP pool created in the FortiGate responds to ARP requests with the MAC address of the interface to the connected L2 units.
 
Scope

 

FortiGate.


Solution

 

The following CLI commands can be used to disable the ARP reply. 
This could be useful during troubleshooting.
config firewall vip
    edit <name>
        set arp-reply disable (default: enable)
    next
end
 
config firewall ippool
    edit <name>
        set arp-reply disable (default: enable)
    next
end
 

The 'set arp-reply disable' is used in the case when IP addresses are overlapping with another device in the network. With arp-reply disabled, FortiGate should send an ARP request for the addresses defined in the VIP/IP pool if it needs to send traffic to units that owns these IP addresses.

 

The 'set arp-reply enable'(default) command means that FortiGate will answer ARP requests for the IP address(es) mentioned in the VIP/IP pool.

 

Note: 

Before FortiOS 6.4.9 / 7.0.1 all IP addresses in the IP pool and VIP are considered as local IP if arp-reply is enabled (following the FortiOS logic one IP can be bound to one interface). In FortiOS 6.4.9-6.4.14 / 7.0.1-7.0.12 / 7.2.0-7.2.5 / 7.4.0, the IP pool / VIP IP addresses are no longer considered local.

This change was reverted in versions 6.4.15, 7.0.13, 7.2.6 and 7.4.1. From these versions onwards, IP pools and VIPs will again be considered as local IP addresses. 

 

Related document:

IP pools