Fortinet black logo

Handbook

Broadcast, multicast, and unicast forwarding

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:355975
Download PDF

In transparent mode, IPv4 packets are typically only forwarded by the FortiGate from a port to another port when a firewall policy is matched with action ACCEPT.

Below are exceptions.

  • L2 (IP) Broadcast frames forwarding:

    L2 (IP) means a L2 frame type 0x0800 (IP) or 0x0806 (ARP)
  • ARP: by default, ARP broadcasts and ARP reply packets are flooded/forwarded on all ports or VLANs belonging to the same forwarding domain, without the need of firewall policies between the ports. This default behavior is necessary to allow the population of the FDB and allow further firewall policy lookup (see section transparent mode Firewall processing for more details). This option is configurable at the interface settings level with the parameter arpforward (enabled by default).
  • Non-ARP: To forward non-ARP broadcasts, the following CLI command is used:

config system interface

edit "port2"

set broadcast-forward enable

next

end

  • L2 (IP) Multicast frames forwarding: the FortiGate does not forward frames with multicast destination MAC addresses by default. Multicast traffic such as one used by routing protocols or streaming media may need to traverse the FortiGate which should not interfere this communication.

    Fortinet recommends that the FortiGate is set up using Multicast policies. This allows for greater control and predictability on traffic behavior. However Multicast traffic may be forwarded through a transparent mode device using the multicast-skip-policy setting. This is detailed in the section Multicast processing

  • L2 (IP) Unicast frames forwarding: a frame with a unicast destination MAC address is subject to firewall processing before being forwarded (see Firewall policy look up for more details). This does not apply to ARP replies.

In transparent mode, IPv4 packets are typically only forwarded by the FortiGate from a port to another port when a firewall policy is matched with action ACCEPT.

Below are exceptions.

  • L2 (IP) Broadcast frames forwarding:

    L2 (IP) means a L2 frame type 0x0800 (IP) or 0x0806 (ARP)
  • ARP: by default, ARP broadcasts and ARP reply packets are flooded/forwarded on all ports or VLANs belonging to the same forwarding domain, without the need of firewall policies between the ports. This default behavior is necessary to allow the population of the FDB and allow further firewall policy lookup (see section transparent mode Firewall processing for more details). This option is configurable at the interface settings level with the parameter arpforward (enabled by default).
  • Non-ARP: To forward non-ARP broadcasts, the following CLI command is used:

config system interface

edit "port2"

set broadcast-forward enable

next

end

  • L2 (IP) Multicast frames forwarding: the FortiGate does not forward frames with multicast destination MAC addresses by default. Multicast traffic such as one used by routing protocols or streaming media may need to traverse the FortiGate which should not interfere this communication.

    Fortinet recommends that the FortiGate is set up using Multicast policies. This allows for greater control and predictability on traffic behavior. However Multicast traffic may be forwarded through a transparent mode device using the multicast-skip-policy setting. This is detailed in the section Multicast processing

  • L2 (IP) Unicast frames forwarding: a frame with a unicast destination MAC address is subject to firewall processing before being forwarded (see Firewall policy look up for more details). This does not apply to ARP replies.