More ARP queries than expected for one device - potential issue on large WiFi networks
The FortiGate-6000 sends more ARP queries than expected because each FPC builds its own ARP table to be able to communicate with devices in the same broadcast domain or layer 2 network. (This also may result in FPCs and the management board all having different ARP tables.) This behavior does not cause a problem with most layer 2 networks. However, because the ARP traffic for all of the FPCs comes from the same mac and IP address, on networks with broadcast filtering or ARP suppression, some of the FortiGate-6000 ARP queries and replies may be suppressed. If this happens, FPCs may not be able to build complete ARP tables. An FPC with an incomplete ARP table will not be able to forward sessions to some destinations that it should be able to reach, resulting in dropped sessions.
Broadcast filtering or ARP suppression is commonly used on large WiFi networks to control the amount of ARP traffic on the WiFi network. Dropped FortiGate-6000 sessions have been seen when a FortiGate-6000 is connected to the same broadcast domain as a large WiFi network with ARP suppression.
To resolve this dropped session issue, you can remove broadcast filtering or ARP suppression from the network. If this is not an option, Fortinet recommends that you install a layer 3 device to separate the FortiGate-6000 from the WiFi network broadcast domain. ARP traffic is reduced because the FPCs no longer need to add the addresses of all of the WiFi devices to their ARP tables since they are on a different broadcast domain. The FPCs just need to add the address of the layer 3 device.