Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.2.13 Administration Guide
    7.2.13
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    ARP table

    ARP table

    The ARP table is used to determine the destination MAC addresses of the network nodes, as well as the VLANs and ports that the nodes are reached from.

    To view the ARP table:
    # get system arp

Address           Age(min)   Hardware Addr      Interface
10.10.1.3         1          50:b7:c3:75:ea:dd internal7
192.168.0.190     0          28:f1:0e:03:2a:97 wan1
192.168.0.97      0          f4:f2:6d:37:b0:99 wan1
    To view the ARP cache in the system:
    # diagnose ip arp list

index=14 ifname=internal7 10.10.1.3 50:b7:c3:75:ea:dd state=00000004 use=2494 confirm=1995 update=374 ref=3
index=5 ifname=wan1 192.168.0.190 28:f1:0e:03:2a:97 state=00000002 use=88 confirm=86 update=977639 ref=2
index=22 ifname=internal 192.168.1.111 00:0c:29:c6:79:3d state=00000004 use=3724 confirm=9724 update=3724 ref=0
index=5 ifname=wan1 224.0.1.140 01:00:5e:00:01:8c state=00000040 use=924202 confirm=930202 update=924202 ref=1
index=5 ifname=wan1 192.168.0.97 f4:f2:6d:37:b0:99 state=00000002 use=78 confirm=486 update=614 ref=26
index=14 ifname=internal7 10.10.1.11 state=00000020 use=172 confirm=1037790 update=78 ref=2
    To view a summary of the ARP table:
    # diagnose sys device list root

list virtual firewall root info:
ip4 route_cache: table_size=65536 max_depth=2 used=31 total=34
arp: table_size=16 max_depth=2 used=5 total=6
proxy_arp: table_size=256 max_depth=0 used=0 total=0
arp6: table_size=32 max_depth=1 used=3 total=3
proxy_arp6: table_size=256 max_depth=0 used=0 total=0
local table version=00000000 main table version=0000002b
vf=root dev=root vrf=0
vf=root dev=ssl.root vrf=0
...
vf=root dev=internal5 vrf=0
ses=0/0 ses6=0/0 rt=0/0 rt6=0/0

    ARP request, cache, and reachable time

    When FortiGate tries to communication with a new destination it must resolve the destination's MAC address. The resolution depends on the IP address of the destination:

    • Directly connected destination: ARP request is sent for the destination IP address.

    • Non-directly connected destination: ARP request is sent for the gateway IP address of the exit interface.

    After the ARP request is sent and an ARP reply is received, the corresponding ARP entry is added to the ARP cache, allowing FortiOS to use the cached entries for subsequent traffic and reducing the sending of frequent ARP request.

    Entries in the ARP cache are valid for a duration equal to the actual ARP reachable time. The actual ARP reachable time is a random number between 50% and 150% of the base reachable time. The default base reachable time is 30 seconds, so the actual ARP reachable time is from 15 to 45 seconds. The actual ARP reachable time is recalculated and updated every five minutes. The frequency of ARP requests to populate the ARP cache and unicast ARP probes to refresh the ARP cache entries depend on the base ARP reachable time.

    Each ARP entry in the ARP cache includes its state and the number of objects that are currently using it. For example:

    index=5 ifname=wan1 224.0.1.140 01:00:5e:00:01:8c state=00000040 use=924202 confirm=930202 update=924202 ref=1

    Based on the state assigned to the ARP entry, the ARP cache determines the validity of the entry. There are multiple possible states for an ARP entry, and the state-transition mechanism can be complex. Common states include the following:

    State

    Meaning

    Description

    000000002 or 0x02

    REACHABLE

    An ARP response was received

    000000004 or 0x04

    STALE

    No ARP response within the expected time

    000000008 or 0x08

    DELAY

    A transition state between STALE and REACHABLE before Probes are sent out

    000000020 or 0x20

    FAILED

    Did not manage to resolve within the maximum configured number of probes

    000000040 or 0x40

    NOARP

    Device does not support ARP, e.g. IPsec interface

    000000080 or 0x80

    PERMANENT

    A statically defined ARP entry

    Multiple factors affect the state-transition mechanism and whether an entry is used by other subsystems. ARP creation, ARP request/reply, neighbor lookup, routing, and others can cause an ARP entry to be in use or referenced. Regular and successful unicast ARP probes initiated by FortiGate help maintain an ARP entry in Reachable state. By default, FortiGate disables regular unicast ARP probes for the sessions that are offloaded to the network processor (NP).

    To set the ARP reachable time on an interface:
    config system interface
    edit port1
        set reachable-time <integer>
    next
end

    reachable-time <integer>

    The reachable time (30000 to 3600000, default = 30000).

    ARP cache purging

    An ARP cache entry that is in the STALE (0x04) or FAILED (0x20) states with no references to it (ref=0) is eligible to be removed from the ARP cache using the garbage collection mechanism. The garbage collection mechanism runs every 30 seconds, and checks and removes ARP entries that have been stale, failed, or unreferenced longer than 60 seconds. Garbage collection is also triggered when the number of ARP entries exceeds the configured threshold. If the threshold is exceeded, no entries can be added to the ARP table.

    To set the maximum number of ARP entries threshold:
    config system global
    set arp-max-entry <integer>
end

    arp-max-entry <integer>

    The maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 to 2147483647, default = 131072).

    ARP/ICMP6 probing for offloaded sessions

    By default, FortiOS does not regularly send ARP probes for sessions offloaded to the NP. This can cause issues in environments where a session is established and offloaded to the NP, but no traffic flows through the FortiGate for an extended period of time, causing ARP entries on the FortiGate to expire and the MAC address table of upstream or downstream devices, such as switches, to age out. When this happens, an ARP broadcast request is triggered for any subsequent traffic passing through the session that generates a broadcast ARP request within the upstream or downstream switch network. To mitigate this, enable sending regular ARP probes for offloaded sessions.

    To enable sending ARP/ICMP6 probing packets to update neighbors for offloaded sessions:
    config system global
	set npu-neighbor-update enable	
end

    The npu-neighbor-update option is disabled by default.

    Manually adding and removing ARP cache entries

    To add static ARP entries:
    config system arp-table
    edit 1
        set interface "internal"
        set ip 192.168.50.8
        set mac bc:14:01:e9:77:02
    next
end
    To delete a single ARP entry from the ARP table:
    diagnose ip arp delete <interface name> <IP address>
    To clear all of the entries in the ARP table:
    execute clear system arp table
    Previous
    Next

    ARP table

    ARP table

    The ARP table is used to determine the destination MAC addresses of the network nodes, as well as the VLANs and ports that the nodes are reached from.

    To view the ARP table:
    # get system arp

Address           Age(min)   Hardware Addr      Interface
10.10.1.3         1          50:b7:c3:75:ea:dd internal7
192.168.0.190     0          28:f1:0e:03:2a:97 wan1
192.168.0.97      0          f4:f2:6d:37:b0:99 wan1
    To view the ARP cache in the system:
    # diagnose ip arp list

index=14 ifname=internal7 10.10.1.3 50:b7:c3:75:ea:dd state=00000004 use=2494 confirm=1995 update=374 ref=3
index=5 ifname=wan1 192.168.0.190 28:f1:0e:03:2a:97 state=00000002 use=88 confirm=86 update=977639 ref=2
index=22 ifname=internal 192.168.1.111 00:0c:29:c6:79:3d state=00000004 use=3724 confirm=9724 update=3724 ref=0
index=5 ifname=wan1 224.0.1.140 01:00:5e:00:01:8c state=00000040 use=924202 confirm=930202 update=924202 ref=1
index=5 ifname=wan1 192.168.0.97 f4:f2:6d:37:b0:99 state=00000002 use=78 confirm=486 update=614 ref=26
index=14 ifname=internal7 10.10.1.11 state=00000020 use=172 confirm=1037790 update=78 ref=2
    To view a summary of the ARP table:
    # diagnose sys device list root

list virtual firewall root info:
ip4 route_cache: table_size=65536 max_depth=2 used=31 total=34
arp: table_size=16 max_depth=2 used=5 total=6
proxy_arp: table_size=256 max_depth=0 used=0 total=0
arp6: table_size=32 max_depth=1 used=3 total=3
proxy_arp6: table_size=256 max_depth=0 used=0 total=0
local table version=00000000 main table version=0000002b
vf=root dev=root vrf=0
vf=root dev=ssl.root vrf=0
...
vf=root dev=internal5 vrf=0
ses=0/0 ses6=0/0 rt=0/0 rt6=0/0

    ARP request, cache, and reachable time

    When FortiGate tries to communication with a new destination it must resolve the destination's MAC address. The resolution depends on the IP address of the destination:

    • Directly connected destination: ARP request is sent for the destination IP address.

    • Non-directly connected destination: ARP request is sent for the gateway IP address of the exit interface.

    After the ARP request is sent and an ARP reply is received, the corresponding ARP entry is added to the ARP cache, allowing FortiOS to use the cached entries for subsequent traffic and reducing the sending of frequent ARP request.

    Entries in the ARP cache are valid for a duration equal to the actual ARP reachable time. The actual ARP reachable time is a random number between 50% and 150% of the base reachable time. The default base reachable time is 30 seconds, so the actual ARP reachable time is from 15 to 45 seconds. The actual ARP reachable time is recalculated and updated every five minutes. The frequency of ARP requests to populate the ARP cache and unicast ARP probes to refresh the ARP cache entries depend on the base ARP reachable time.

    Each ARP entry in the ARP cache includes its state and the number of objects that are currently using it. For example:

    index=5 ifname=wan1 224.0.1.140 01:00:5e:00:01:8c state=00000040 use=924202 confirm=930202 update=924202 ref=1

    Based on the state assigned to the ARP entry, the ARP cache determines the validity of the entry. There are multiple possible states for an ARP entry, and the state-transition mechanism can be complex. Common states include the following:

    State

    Meaning

    Description

    000000002 or 0x02

    REACHABLE

    An ARP response was received

    000000004 or 0x04

    STALE

    No ARP response within the expected time

    000000008 or 0x08

    DELAY

    A transition state between STALE and REACHABLE before Probes are sent out

    000000020 or 0x20

    FAILED

    Did not manage to resolve within the maximum configured number of probes

    000000040 or 0x40

    NOARP

    Device does not support ARP, e.g. IPsec interface

    000000080 or 0x80

    PERMANENT

    A statically defined ARP entry

    Multiple factors affect the state-transition mechanism and whether an entry is used by other subsystems. ARP creation, ARP request/reply, neighbor lookup, routing, and others can cause an ARP entry to be in use or referenced. Regular and successful unicast ARP probes initiated by FortiGate help maintain an ARP entry in Reachable state. By default, FortiGate disables regular unicast ARP probes for the sessions that are offloaded to the network processor (NP).

    To set the ARP reachable time on an interface:
    config system interface
    edit port1
        set reachable-time <integer>
    next
end

    reachable-time <integer>

    The reachable time (30000 to 3600000, default = 30000).

    ARP cache purging

    An ARP cache entry that is in the STALE (0x04) or FAILED (0x20) states with no references to it (ref=0) is eligible to be removed from the ARP cache using the garbage collection mechanism. The garbage collection mechanism runs every 30 seconds, and checks and removes ARP entries that have been stale, failed, or unreferenced longer than 60 seconds. Garbage collection is also triggered when the number of ARP entries exceeds the configured threshold. If the threshold is exceeded, no entries can be added to the ARP table.

    To set the maximum number of ARP entries threshold:
    config system global
    set arp-max-entry <integer>
end

    arp-max-entry <integer>

    The maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 to 2147483647, default = 131072).

    ARP/ICMP6 probing for offloaded sessions

    By default, FortiOS does not regularly send ARP probes for sessions offloaded to the NP. This can cause issues in environments where a session is established and offloaded to the NP, but no traffic flows through the FortiGate for an extended period of time, causing ARP entries on the FortiGate to expire and the MAC address table of upstream or downstream devices, such as switches, to age out. When this happens, an ARP broadcast request is triggered for any subsequent traffic passing through the session that generates a broadcast ARP request within the upstream or downstream switch network. To mitigate this, enable sending regular ARP probes for offloaded sessions.

    To enable sending ARP/ICMP6 probing packets to update neighbors for offloaded sessions:
    config system global
	set npu-neighbor-update enable	
end

    The npu-neighbor-update option is disabled by default.

    Manually adding and removing ARP cache entries

    To add static ARP entries:
    config system arp-table
    edit 1
        set interface "internal"
        set ip 192.168.50.8
        set mac bc:14:01:e9:77:02
    next
end
    To delete a single ARP entry from the ARP table:
    diagnose ip arp delete <interface name> <IP address>
    To clear all of the entries in the ARP table:
    execute clear system arp table
    Previous
    Next