strange firewall behaviour

At my working-place there are two networks. One network is connected to the internet through a linux-firewall and the other net is connected to the internet over a fortigate-firewall (fortigate 50 or fortigate 60). I administrate the linux-firewall and I have no rights on the fortigate-firewall, I even don't know which model it is exactly - the only think I know is the mac-address and the price - therefore I think its a fortigate 50 or 60.

But I see some strange thinks in the log-file of my linux-firewall coming from the fortigate-box. Both machines - my linux-firewall and the fortigate-box are in the same public net. For example my linux-box has the IP-Address in the net and the fortigate-box has So I can see osi2 and osi3 broadcasts. (The Ip-Addresses are examples and not the real ones).

I see a large amounts of arp-requests coming from this fortigate machine:

arp who-has tell arp who-has tell arp who-has tell arp who-has tell arp who-has tell arp who-has tell arp who-has tell arp who-has tell arp who-has tell arp who-has tell ....

strange, isn't it? the fortigate-box asks for osi2-addresses of machines, the people behind the firewall try to contact!

What I now whould like to understand:

- I this a feature of the fortigate-box (perhaps because the box is under heavy load - fortigate 50 & 60 are small business firewalls and this box has to serve about 40-60 clients)

- Or is this because of misconfiguration? (perhaps: fortigate has an ethernet-port for inside, outside and dmz - perhaps they (the admins!) have plugged in the cable to the wrong port - dmz? and not in the outside port?)

- Has anybody seen the same and knows the reason!

What I else see in my firewall-log are pakets with source and, udp, SPT 68, DPT 67, TTL 128

- okay dhcp-request coming from a windows maschine. But I also see the mac-address of the asking machine. (I asked the fortigate admins, if the have a machine with this mac-address in their inner-net and they said "yes") I now wonder why the fortigate is routing this packet? A packet with source and dest - with the original mac??

What is going on there??

thanks very much for any reply


Reply to
Andreas Schweighofer
Loading thread data ...

This is strange. Usually you see more firewall-to-default router and local subnet ARPs. These are strange...Do they have many subnets behind them?

The only way I could think of to explain this is if they are doing a bridging firewall setup. I have a cable modem and do the same thing with a FreeBSD fireall. I do this because my static IP is on a different subnet than my dynamic IP addresses (Static = My server and Dynamic are my desktops)...So in this setup you will see the DHCP packets with the original MAC addresses...

Reply to
Michael J. Pelletier

Am Sat, 19 Mar 2005 23:37:30 -0800 schrieb Michael J. Pelletier:

Not many - inside of the fortigate-firewall there are two or three subnets all using private Ips somewhere in the range of 192.168/16 (and there are about 30-60 clients)

Did I understand this correctly? - your cable-modem is the dhcp-server and you have to get the dhcp-communication over your firewall which comes after the cable-modem?

When the fortigate-admins speak from "their" firewall they always say "it is a hardware-firewall?" I don't know what they are understand under a "hardware-firewall". but perhaps it is also a bridging-firewall and they don't know how to configure it correctly?



Reply to
Andreas Schweighofer Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.