The FortiGate-7000 sends more ARP queries than expected because each FPM builds its own ARP table to be able to communicate with devices in the same broadcast domain or layer 2 network. This behavior does not cause a problem with most layer 2 networks. However, because the ARP traffic for all of the FPMs comes from the same mac and IP address, on networks with broadcast filtering or ARP suppression, some of the FortiGate-7000 ARP queries and replies may be suppressed. If this happens, FPMs may not be able to build complete ARP tables. An FPM with an incomplete ARP table will not be able to forward sessions to some destinations that it should be able to reach, resulting in dropped sessions.
Broadcast filtering or ARP suppression is commonly used on large WiFi networks to control the amount of ARP traffic on the WiFi network. Dropped FortiGate-7000 sessions have been seen when a FortiGate-7000 is connected to the same broadcast domain as a large WiFi network with ARP suppression.
To resolve this dropped session issue, you can remove broadcast filtering or ARP suppression from the network. If this is not an option, Fortinet recommends that you install a layer 3 device to separate the FortiGate-7000 from the WiFi network broadcast domain. ARP traffic is reduced because the FPMs no longer need to add the addresses of all of the WiFi devices to their ARP tables since they are on a different broadcast domain. The FPMs just need to add the address of the layer 3 device.