Detailed sequence :
1) SYN sent to Master Internal interface has Virtual MAC address Internal (V_MAC_Inter)
2) SYN is redistributed to Slave Internal Interface. Source MAC is (Phy_MAC_inter) and Dest MAC is Slave Internal Physical MAC address ( Phy_MAC_Inter)
3) SYN is forwarded from internal interface to External Interface to the external switch connected to the Server
4) SYN/ACK sent from Server to Master External interface
5) SYN/ACK redistributed to Slave (source MAC address is Master virtual MAC address (Phy_MAC_external) and destination MAC address is the Slave external physical MAC (Phy_MAC_Exter)
6) SYN/ACK is forwarded from Slave External interface to Internal Interface toward internal switch to Client
7) ACK is sent from Client to Master Internal interface
8) ACK redistributed to Slave
9) ACK forwarded from internal interface to external interface toward external switch to Server.
10) TCP 3 way hand-shake completes
Note.
Client and Server do not know about the existence of Slave FortiGate.
The ARP table of both devices are all pointing to the Virtual MAC address, internal and external respectively.
In case of failover, FGT2 becomes Master and will broadcast its VMAC address out to the Switches 1 and 2 which will update their MAC forwarding table. ARP entries on both Client and Server remain the SAME.
Related document.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/678636/nat-mode-a-a-packet-flow
Scope
All FortiOS
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.