ARP ( Address Resolution Protocol ) demystified
Whenever a host needs to contact another host, either in its subnet or in another subnet or maybe on the internet, then it sends an ARP ( Address Resolution Request)
Screenshots were made on my FortiGate 60F https://amzn.to/2W1cHkQ
As the name suggests, An ARP request that is sent, actually asks “Who has the IP address that I need to contact”
The request is being sent in the broadcast domain or sometimes it is being relayed to another subnet, and the host that has the IP address sends back its MAC address
The MAC address is crucial in crafting the packet itself. It is one of the most important functions in IP routing.
On the other side, Your FortiGate firewall has an ARP table, which holds the binding between the different MAC addresses and the IP addresses on different interfaces. So let’s take a deeper look at the ARP table
Sniffing ARP
Let’s start by examining ARP requests that are being sent from our LAN
To do so we’ll use the “diag sniffer packet” which is a FortiGate Wireshark way to capture the packets that travel between the different interfaces and examine what is happening.
When we examine packets, we can use filters, to capture specific traffic.
Here we will not use any filters , only port number and verbosity level
“ Diag sniffer packet port2 none 4 “
Press enter and you can see the different ARP requests “who has that IP address”.
The IP address that is requested is the gateway address.
Now let’s look at some other commands.
The first command that you can use is the:
“get system arp”
Here you can see, IP addresses, MAC addresses, and associated interfaces.
The second command will show the ARP table cache
“diag ip arp list”
As stated in the Fortinet documentary, The default ARP timeout value is 5 minutes (300 seconds) and can vary depending on the state of the ARP entry and the objects that are using. using the command, We can see the ARP cache, the different states ( ARP was received, The device is not supporting ARP…).
Our third command is
We start with “config system global” following that, we will use the set up maximum entry where we can enter an integer with the number of entries.
Moving On, There are times where you need to delete the whole ARP table.
We will use the “execute clear system arp table”
So let’s just look at the system ARP table. And Yep, we only have one ARP table, which its age in minutes is zero. So it was just received now.
The last command that we will look at is the “config system arp table”
Now we can add up specific IP addresses and bind a specific MAC address according to our needs. As the interface to port two.the IP, the MAC address and associate them together.
Learn more about how to administrate your Fortigate Firewall in my book “ Fortigate firewall admin pocket guide “ https://amzn.to/37Zobbn
