More ARP queries than expected for one device - potential issue on large WiFi networks
The FortiGate-6000 and 7000 sends more ARP queries than expected because each FPC and FPM builds its own ARP table to be able to communicate with devices in the same broadcast domain or layer 2 network. This behavior does not cause a problem with most layer 2 networks. However, because the ARP traffic for all of the FPCs or FPMs comes from the same mac and IP address, on networks with broadcast filtering or ARP suppression, some of the FortiGate-6000 or 7000 ARP queries and replies may be suppressed. If this happens, FPCs or FPMs may not be able to build complete ARP tables. An FPC or FPM with an incomplete ARP table will not be able to forward sessions to some destinations that it should be able to reach, resulting in dropped sessions.
Broadcast filtering or ARP suppression is commonly used on large WiFi networks to control the amount of ARP traffic on the WiFi network. Dropped FortiGate-6000 or 7000 sessions have been seen when a FortiGate-6000 or 7000 is connected to the same broadcast domain as a large WiFi network with ARP suppression.
To resolve this dropped session issue, you can remove broadcast filtering or ARP suppression from the network. If this is not an option, Fortinet recommends that you install a layer 3 device to separate the FortiGate-6000 or 7000 from the WiFi network broadcast domain. ARP traffic is reduced because the FPCs or FPMs no longer need to add the addresses of all of the WiFi devices to their ARP tables since they are on a different broadcast domain. The FPCs or FPMs just need to add the address of the layer 3 device.