Layer-2 and ARP traffic
By default, FortiGate devices don't pass layer-2 traffic. If there are layer-2 protocols such as IPX, PPTP or L2TP in use on your network, you need to configure the FortiGate interfaces to pass these protocols without blocking. Another type of layer-2 traffic is Address Resolution Protocol (ARP) traffic.
To allow layer 2 protocols - CLI:
config system interface
edit <name_str>
set l2forward enable
end
where <name_str>
is the name of an interface.
If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that has the problem as follows:
config vdom
edit <vdom_name>
config system interface
edit <name_str>
set l2forward enable
end
end
If you enable layer-2 traffic, you may experience a problem if packets are allowed to repeatedly loop through the network. This repeated looping, very similar to a broadcast storm, occurs when you have more than one layer-2 path to a destination. Traffic may overflow and bring your network to a halt. You can break the loop by enabling Spanning Tree Protocol (STP) on your network’s switches and routers.